Overview

overview

10

Static

static

10

d09338f324...JC.exe

windows7-x64

10

d09338f324...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/08/2023, 10:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe

  • Size

    164KB

  • MD5

    6b391f91c63765876e2571e87fe46575

  • SHA1

    d508632ca452af6325c06434b29883cfa55d7948

  • SHA256

    d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c

  • SHA512

    2e1c522393b137d7847c405cdaa735a4255fde534c8006460ef1a984eacc135fd8668fbd756d06b9011299911c2fd57c1a9112d01c046ebe8c98058b1abfae34

  • SSDEEP

    3072:pEa2d8CfSXceqmPDu7lvspW0kAo0BQhyI0hQMnnsJ:5CqlPDuBkJpoQQgdnns

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Recovery\e7s2sn8w3p-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension e7s2sn8w3p. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/34A77008B6B4989C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/34A77008B6B4989C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: BHYdeQSSv3xCyhG9r+BkXv1ZFFeQsoiTdiisFlGz0UNvhPg5SRUcaNGgKnio/Ps3 Y8Fwk6IjRYE0jk1xUqrerJB8ip0zwVMzrJ4bg1vtQQQQe6NuE0x/hbP7i+O6+JoZ nG6iJz3A7pae383xEhbP/vwoJ4vPxMAENAQraUYPyARnzR7GmQCZjV0HDiaWwQiU w4+5fd5M6B8PT8Wc7KpBWQwLXLQ1U0Lku3zbDjtibKswpi7t+Ae/cfK20+BODFCR RJJ4NWM4K6+jE7c4xISmPGoAfmgKvSGzlSEGDHPHl2ofRCSPn7HXQu0ig+pe4auk WdOkS2QB0DiozgmDDk/2zwAJ//5XMSdBMmgagIxwMEBgFHnj03ndnBuDzrIIYfs1 DzwJVNU4LNrZzaWAaURXe0cKez57buVYpMSxrA6pFeObFpzBjiDJ2gacacMAwIlt 1bbzHgjdZ2cu32kdLx330ZT7wT9sDH/tb1+WpFbcBzWFDre5+FcgpUOzkpek5iDc ETQ0+amSinYyvVXw0i+diMLGq1Waw9U29xS2mmvrE2fvwIQg7Pzckjm3Go5wJCPI vfABTeV8/Nk9/ap3PlgFtfLzym6r0y2pkUqtOL1WS3aI7tmx9hhl+c6maq+j9VCZ 94iOi8IGrvVqnG4fOLXtcrchWYAdKM0mMFDBL49sBMRolumETh4/iD+SSzsCxN2e MUT12Q79/GNYW2rB2xLGxl+nMjCksUvZf3Yz66mAwdLBxizdxeeylgMNpP6pjMac 1W8fmRw/ieyYFDU9k+Uorkla0QzucGDoWftnk0tOSor7Jl3A6to3NVQMvaO1v0Ek 7h+0gdh/nv/Fj0CXBOHEzoU8MteEGkHnVOHlswRh8ud++m1B9GzsKTu+PDUHXiTc MXw08FlrLfWKbqqaFkA/oEWWzbnPjh1/ohQ0hds+fO928nbtod0cXgSe4tBaNbg4 aaT6sf39pHdM5VVAbpbi5T2wwNOPAJ8vtC4caNuigENnApcOmUy3xI764dqtyCws NW2JpIrryVXOUc3DzHp9ZNUI+XscOIyTsSAqm7yB6oKLk/2davh8ePnF/HM927Jr z5D4atSJg+cW4DugyIZWri5kFibvWnCJ9ahiZ3/9bXzyCDC4Y56cx8eaRdSACpmM Hn0T5LBkB+6+Z6eVKa7TGXWC4Ztegf5ql6JoRCIBxCFVfeQ+V4AueNK5Lp3bRrDI i+43QXs2yoaeVfwZgWSr8cha6tjBZHQQ9yQ= Extension name: e7s2sn8w3p ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/34A77008B6B4989C

http://decryptor.top/34A77008B6B4989C

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:464
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4980
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1044

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Recovery\e7s2sn8w3p-readme.txt
            Filesize

            6KB

            MD5

            5b49318025c4e933a51d1c11392e83fb

            SHA1

            7f3ee2d3dcc8396198fc6d2ba2198311f6d32771

            SHA256

            4948b108ce2073e5b392a4cefa3b25419fe176be5e8908b60e3aed80ef45462f

            SHA512

            ce1c6353217366fe33134cf5ba9adcfe274276f75aaf43191c97a61ed138c25b6107cea797f617f3a189ffea9bf2118d803b82559b16dbcf06ff8bf269ed2029

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsxocjph.qxh.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/464-133-0x00000148A6C00000-0x00000148A6C22000-memory.dmp

            Filesize

            136KB

            Download

          • memory/464-143-0x00007FFEEAE00000-0x00007FFEEB8C1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/464-144-0x000001488DD90000-0x000001488DDA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/464-145-0x000001488DD90000-0x000001488DDA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/464-146-0x000001488DD90000-0x000001488DDA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/464-149-0x00007FFEEAE00000-0x00007FFEEB8C1000-memory.dmp

            Filesize

            10.8MB

            Download