Overview

overview

10

Static

static

3

97a2331bc8...63.exe

windows7-x64

10

97a2331bc8...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2023 08:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

  • Size

    221KB

  • MD5

    77ed1092409c927f5cd1992021f99147

  • SHA1

    4c9027e660614db7fe653e67a7ac0b726b52cc44

  • SHA256

    97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463

  • SHA512

    1e01f85f50179fb7620680809862c28c8955e696b397acd6766a2d8a18b81cc08f99c2a059213797ea8de1e004412b9d4853cf1c2ae9f451505322b00e26238a

  • SSDEEP

    6144:Za/6o9aptGtbbqcqjuEyileXEHpSYxyEpq:S5atGtfqcqju3iXHpSgq

Score
10/10
sodinokibi$2a$10$mabwjcxkb3kropx5kearm.sc7uhuubcbvrc/j3kvhmn3f11eujg3.4402persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$MaBWjCXKB3kROpX5KeARM.SC7uhuuBCbvRC/J3KvhMn3f11EUJg3.

Campaign

4402

Decoy

gopackapp.com

croftprecision.co.uk

sanyue119.com

chatizel-paysage.fr

falcou.fr

theshungiteexperience.com.au

xn--vrftet-pua.biz

slimani.net

vibethink.net

mrxermon.de

hebkft.hu

danskretursystem.dk

castillobalduz.es

pmc-services.de

advizewealth.com

pixelarttees.com

testcoreprohealthuk.com

ino-professional.ru

alvinschwartz.wordpress.com

mercantedifiori.com
Attributes
  • net

    true

  • pid

    $2a$10$MaBWjCXKB3kROpX5KeARM.SC7uhuuBCbvRC/J3KvhMn3f11EUJg3.

  • prc

    isqlplussvc

    mydesktopqos

    onenote

    ocomm

    dbsnmp

    powerpnt

    winword

    thebat

    sql

    infopath

    visio

    firefox

    tbirdconfig

    wordpad

    agntsvc

    msaccess

    sqbcoreservice

    xfssvccon

    dbeng50

    thunderbird

    outlook

    mspub

    excel

    mydesktopservice

    steam

    ocautoupds

    oracle

    encsvc

    synctime

    ocssd

  • ransom_oneliner

    Soon you may lose your files FOREVER Find: "readme-{EXT}-NOW.txt" in folders or on your desktop! YOU HAVE A FEW DAYS OR A FILE WILL BE LOST FOREVER !!!

  • ransom_template

    Your files are locked due to a vulnerability in your system by "{EXT}" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/{UID} If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} After going to the site, enter the following code: {KEY}

  • sub

    4402

  • svc

    vss

    backup

    svc$

    memtas

    sql

    veeam

    mepocs

    sophos

Extracted

Path

C:\Recovery\readme-ovxmopp-NOW.txt

Ransom Note
Your files are locked due to a vulnerability in your system by "ovxmopp" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/4B13C627D46B7444 If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4B13C627D46B7444 After going to the site, enter the following code: 28KcMc/kmhvEq6BqQZltUPfqz0x1+utMG1QEPyneIigghEQIlsuwejKhmYE/w955 PrMvoZV8WI/Ei2z271VUdfaZ6TLB8oxQEY4LL2WgZ3TRhTJSi7DQjIsnKMC64Ptt XReK2NUL9TSiUC2Pc9qVHAdcFA4tHf1kS8lUZqJtKwJwpBwq7pM/RsQ/uRHoWclJ p/I9Fe42w+3cVLjgCMxwQjdK35k45wIm1Dnye0ZAlOz3DqtlfAZRiXE1anRlH0HM BG71ydNabyOf+BxPuc092x1QDwjP3HPKd2jXEZQZ9Dm/i1C1tmQvuQ7rzL4nxmdz xQyJAI1txLgpF/dVTthRBwQoc73bdauriFhhQgA2AUfcOh6iH1pzG0IvDPiOH1hU jiT5dU0yyUwhmelwAVTt7Yy1kbc9PWQOugSCwnGWqYwBr48PoxYjA1AxVXp0u/eo 4voMXhO6VeGGfTUe6R8/+SMPG9qw6MOYQRlRYDeT4z94auqZrIPv077sk2yUjYuq ous/rHFdj37eAzd36+jKlnt/Mon7bNGL2bUGDov/i2E4NIbPYDm0nGB28K4o9W+R 7+0ozf4vKrSdDuavkZ9ZeRgCtINnrbCJwRWJPJZdkVEoWsBpIe68DmeL4vP3rAic m/TNA5eIfyH3MqZ/blkSpBEPM70yHaprfCEq5EYP3OgjMKaEf22AJmnPm7/3xUX4 Syz2DKFtoxshhXPRWLbWrBqYMMPoVcLswOfDSKJNlR+EcWfbGYCjBei+US13X4om NFnukHR0ZqtHtZy8jQfUz5WYuOEW89Y9FMZp4m5R/JbeXesYxTDBAJTgmvoDRM3w /z843g1XwP+GEO4Vv2pvO/Zyrkgwgu6nvg5onjgo1y2kssMYViCfRqIw3qqJcIzt eM/xxwj9qOCsGDmCfCr5HBB+EXjogVGJpuP9dS3nr2/8pp8mXm6QR3O0ZZxsAJXf LurVSCbJ7rOzmUmFpOxOonI/NzPSCgk4DTF40KweYwIOybg74g9KlwvTqmt4/CxU LiglQli73602sNDPQ+f7uxU6byERsqxfRMCCeNzdxP7DGDMXaJzqxymIWldqYmJg Pjp39v0sOEbeoXWUfSLsZ4EJRI22ZoxYySsEBK1HJ4l2NFsfy7X+p3NIG4NlqhbF gT3IshbfYncx5hiznhEG0v6/oMigDTRy6HHKZE1iMUAGHTBJNV7EwkpQIC1mQMvp qWF9LaG+TQ/S5Lu+sB3Db0GjIYQihoFpJRydKNkMwgeNoqAYuVbw/aV1dywArB6D mH3W7iRyd7UPBVFfr0anDREWSc9RcLThH5cHWvO2K/IBCFoeoQ0/lEqOMxTDLNUF ojcY/ogwMkf7OQPOICT+rVI1+mRmBaB+UndDCMBEfQNKDxAdLlUxIg==
URLs

http://decryptor.cc/4B13C627D46B7444

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4B13C627D46B7444

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 21 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
    "C:\Users\Admin\AppData\Local\Temp\97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3892
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3532
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3640

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\readme-ovxmopp-NOW.txt
      Filesize

      5KB

      MD5

      448717cc613f7c4c1b88e9913c7fce49

      SHA1

      21c0b07140bb7106626000bf771170a9c3d85c0b

      SHA256

      76e0168ddc8710eac49928713b22afd23113aa2cb72e328b5112b212f543a377

      SHA512

      2cc41496bc8280d04de9d26920f2da580198bc9a94d83a5f162b6945d839414897bcf03953b68e03bbfc97eb5353e8cafe26989b934170287a039d6548237bb3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tdbp4etl.nlb.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • memory/2968-577-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/2968-134-0x0000000000A70000-0x0000000000B70000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2968-587-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/2968-584-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/2968-580-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/2968-579-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/2968-136-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/2968-153-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/2968-160-0x0000000000A70000-0x0000000000B70000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2968-135-0x00000000001C0000-0x00000000001EB000-memory.dmp
      Filesize

      172KB

      Download
    • memory/2968-570-0x00000000001C0000-0x00000000001EB000-memory.dmp
      Filesize

      172KB

      Download
    • memory/2968-571-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/2968-575-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/3892-152-0x00007FF958690000-0x00007FF959151000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3892-149-0x000001C5EAF60000-0x000001C5EAF70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3892-148-0x000001C5EAF60000-0x000001C5EAF70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3892-147-0x00007FF958690000-0x00007FF959151000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3892-146-0x000001C5EB310000-0x000001C5EB332000-memory.dmp
      Filesize

      136KB

      Download