Overview

overview

10

Static

static

3

123.exe

windows7-x64

10

123.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2023 15:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    123.exe

  • Size

    218KB

  • MD5

    06122ab780f95516e52eeadcc5384f64

  • SHA1

    c54c8d31b77deefb6a4e03ecec613b75f75c20ab

  • SHA256

    337900815fcd44fdafedea82ebebec9454e3eb789d63072add59f812a5983604

  • SHA512

    ba9b24857875c751ba05a1139b689ab294ab4f41d03ca871be5648d03da577170be22e6383c42662da4ded515c063418ed82aa955b0c20cba257639143b70dc6

  • SSDEEP

    3072:gUwEMgkp2ikbL7fUhRiq9GrhvQWZoa+XGOT4w8Y08i3a5kbKS3CmJo:gUnMgVbs25rVwDAaibKqCe

Score
10/10
sodinokibi$2a$12$zrbgt.tkbfixshety/dgxeugjwalzahrccvkrvs0/ewpw1qfy0whi8249evasionransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$ZRbGt.TkbFIxsHETy/DgxeuGjWaLzaHrccVKRVs0/EwpW1qFY0WHi

Campaign

8249

Decoy

izzi360.com

devstyle.org

ziegler-praezisionsteile.de

rumahminangberdaya.com

justinvieira.com

edv-live.de

smithmediastrategies.com

innote.fi

waynela.com

precisionbevel.com

sanyue119.com

hexcreatives.co

xltyu.com

slimidealherbal.com

naturalrapids.com

edelman.jp

bildungsunderlebnis.haus

verbisonline.com

asteriag.com

2ekeus.nl
Attributes
  • net

    true

  • pid

    $2a$12$ZRbGt.TkbFIxsHETy/DgxeuGjWaLzaHrccVKRVs0/EwpW1qFY0WHi

  • prc

    dbsnmp

    mydesktopservice

    thunderbird

    ocautoupds

    excel

    encsvc

    ocssd

    steam

    winword

    sql

    visio

    outlook

    agntsvc

    oracle

    ocomm

    msaccess

    onenote

    wordpad

    powerpnt

    tbirdconfig

    infopath

    dbeng50

    thebat

    sqbcoreservice

    firefox

    xfssvccon

    isqlplussvc

    mspub

    mydesktopqos

    synctime

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). Also we downloaded whole file server and make Sage backup, that means leak includes: -Detailed engineering diagrams; -Finance reports (Payrolls, incomes, budget and so on); -NDA with customers and subcontractors; -Employee information; -Other things; In case of your silence we will publish it in our "Happy blog" [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    8249

  • svc

    sql

    memtas

    backup

    svc$

    veeam

    sophos

    vss

    mepocs

Extracted

Path

C:\Users\2kf1dk1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 2kf1dk1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). Also we downloaded whole file server and make Sage backup, that means leak includes: -Detailed engineering diagrams; -Finance reports (Payrolls, incomes, budget and so on); -NDA with customers and subcontractors; -Employee information; -Other things; In case of your silence we will publish it in our "Happy blog" [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7E7B8EB63478F193 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/7E7B8EB63478F193 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: T71TjuTzL+KtZ0aQXqfwhHGrlCDVums1392wX3+YksoEPX416aKHNEi3rUztg/7d mU5ipNUZOWUB/M9n5kO1FXCORTg6PhZll9PM8JJm6tY3u5z4hWMUse3p5i+Lb8KP 3+mfykwfwItywzQbvhRb34ok49KSnVv8kKWU/YZSY83FLUV3aqi57gd3hKL68mnt +Q3ugRCcP1WWIOy7G7xYjLC4XCIAreQiVm9iKzuz7h9kxuh+yUJIeHfniVTH9ntH gfMWrM3l2eGZTebT6kykgEAZyK55X6LEIq5N5zKHJKlQUCTt5YIkXZIYtIXescHY Usf0cEH9VJM0YetU4pbqlcoMc4dJE5JO9wttzpSpNal/+Dci6YiATN71OOO3/fDZ fsN8GW64nVzQJ5Np8vSQnLXRCexN5qwZF0s53B1cCLAqO5rTb5vh5KbaGQu/7UNs V1AWFh2kBDcs/FC00R35+w5yiP4hj1jQ+2jEjighcvPIWPzYUvPQdEALdWVlDMfk mnvH8Q7eYqZbF2V91/mUaDUgHOmtCR/jj7o7NxjKP1t+N8+ziRlxZUJfe0qeLzOK AzYcefg17IKZLtYHlOasNLXydOk5hM1bTmlhf7ki2pa5MOgqJbx467sbc026F15p QE8e4U2VXsSbD6rmk09pX1i97AkhiKWfxZtnkKU/QquI55fObdc4x+aqkPO+qDoP f3lks7ce7CYM9yp3UBUiKIq2cJcHiiqnap6Kgrc/iZZuvXaS4CMlWno0mi6Zbdkm 6OOkXqBVvFCZr6I/lNb/T3izb2t64/1edgeOrYNGwrsgRElt/2j2jObRajV/4ieg hfVP5g4GOX24TMb7y7IaC6izFV/cIsQ44VuAmWJ2KtPZ3yY55aNmVeaMmxvQWiaY 9zr1gwt7nF0Ie61MhNSa2v+BpG0HZwY+H8YqCZaQLLgZxDg3ua3V26Hk24sKi874 Pm0l+L0ivQDvI+eCySAaLPGZ9posSwqVtUjNSbJtLSXCVohB6pCMGvM/P6OTzGeB yLZuxnrc0Yy2xtN3Z3SO7fzRGtgxtDX1ZYC0WKf1qMDw2TXrzfJbksBzZE7iHN6m ZQfLom/Cl7PoZMJo+xofeDUtsx5tFNko+mo91vvxyhFh/LXBenTkOZbehwrpuSYV haJ8198txIYBcouQxLFbSlkv2leFw1fJ09VS0fZxiHVTYyS1ZTCzIMQ4WIkWL9Ax ofAfODRxjoR7dEScjMbdsuFi866MKVz3nw7AKlUDptF5wx5Oy4xdKT76i2GQ/ubp G+wouzwhPqtdPIo3SWv/LL9wZ0WywpykUTEMRlsECx1mr7tGJS1Es9YOh7SBt2VB PJKrC9Gwv4XzEVJ5v+/ret19CjC6Rf71 ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7E7B8EB63478F193

http://decoder.re/7E7B8EB63478F193

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\123.exe
    "C:\Users\Admin\AppData\Local\Temp\123.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Modifies Windows Firewall
      PID:1888
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:344
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3020
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2344
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\2kf1dk1-readme.txt
      1⤵
        PID:1992
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1124

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Modify Registry

      2
      T1112

      Subvert Trust Controls

      1
      T1553

      Install Root Certificate

      1
      T1553.004

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Defacement

      1
      T1491

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\2kf1dk1-readme.txt
        Filesize

        7KB

        MD5

        4b0a445f7f1159b7049b847b98d6ca77

        SHA1

        bcb6f7bd75de25e2e135651a4ee8a5c200b4c96e

        SHA256

        4ea1a4ecf68a4ebc56700da0f65896493f34d4fb816de0b6dc3b9ab68c7bf178

        SHA512

        bcfa7cb470ee090e20b6df6c63b72ca88f83c59234687e3e82b9faa0bcc8fc8f23824d7b12f3d516ef54c1f5ec5b82121665e6e4e3688c82340567361befba36

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        61KB

        MD5

        e56ec378251cd65923ad88c1e14d0b6e

        SHA1

        7f5d986e0a34dd81487f6439fb0446ffa52a712e

        SHA256

        32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

        SHA512

        2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Cab762.tmp
        Filesize

        62KB

        MD5

        3ac860860707baaf32469fa7cc7c0192

        SHA1

        c33c2acdaba0e6fa41fd2f00f186804722477639

        SHA256

        d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

        SHA512

        d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar882.tmp
        Filesize

        163KB

        MD5

        19399ab248018076e27957e772bcfbab

        SHA1

        faef897e02d9501146beb49f75da1caf12967b88

        SHA256

        326842dd8731e37c8c27a08373c7ac341e6c72226cc850084e3a17d26675f3c9

        SHA512

        6d5b12ec637ef4223fdd0e271cdc9f860b060ff08d380bba546ac6962b1d672003f9ae9556d65282d8083e830d4277bad8d16443720716077e542ab0262b0103

        Download Submit
      • C:\Users\Public\Desktop\2kf1dk1-readme.txt
        Filesize

        7KB

        MD5

        4b0a445f7f1159b7049b847b98d6ca77

        SHA1

        bcb6f7bd75de25e2e135651a4ee8a5c200b4c96e

        SHA256

        4ea1a4ecf68a4ebc56700da0f65896493f34d4fb816de0b6dc3b9ab68c7bf178

        SHA512

        bcfa7cb470ee090e20b6df6c63b72ca88f83c59234687e3e82b9faa0bcc8fc8f23824d7b12f3d516ef54c1f5ec5b82121665e6e4e3688c82340567361befba36

        Download Submit
      • \??\PIPE\samr
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • memory/2000-478-0x0000000000230000-0x0000000000268000-memory.dmp
        Filesize

        224KB

        Download
      • memory/2000-544-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2000-490-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2000-0-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2000-477-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2000-542-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2000-1-0x0000000000230000-0x0000000000268000-memory.dmp
        Filesize

        224KB

        Download
      • memory/2000-493-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2000-2-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2000-609-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2000-693-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2000-714-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2000-717-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2000-719-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download