Overview

overview

10

Static

static

10

gm.rar

windows7-x64

3

gm.rar

windows10-2004-x64

3

17ffd90d20...e1.dll

windows7-x64

1

17ffd90d20...e1.dll

windows10-2004-x64

1

1caf510598...e1.exe

windows7-x64

10

1caf510598...e1.exe

windows10-2004-x64

1

1d88c47417...67.exe

windows7-x64

1

1d88c47417...67.exe

windows10-2004-x64

5

1ecb597741...af.exe

windows7-x64

1ecb597741...af.exe

windows10-2004-x64

2a5fe7d49f...b5.exe

windows7-x64

1

2a5fe7d49f...b5.exe

windows10-2004-x64

1

2c1aa4fa14...dc.exe

windows7-x64

1

2c1aa4fa14...dc.exe

windows10-2004-x64

1

34d62f47e1...6e.exe

windows7-x64

3

34d62f47e1...6e.exe

windows10-2004-x64

3

38f1b8c868...05.exe

windows7-x64

10

38f1b8c868...05.exe

windows10-2004-x64

10

40d8e3dae5...04.exe

windows7-x64

10

40d8e3dae5...04.exe

windows10-2004-x64

10

410ee08c8a...59.exe

windows7-x64

6

410ee08c8a...59.exe

windows10-2004-x64

6

423b7b37b1...42.exe

windows7-x64

1

423b7b37b1...42.exe

windows10-2004-x64

1

4315b6e87c...0b.exe

windows7-x64

7

4315b6e87c...0b.exe

windows10-2004-x64

7

453c6fe9e1...91.exe

windows7-x64

1

453c6fe9e1...91.exe

windows10-2004-x64

1

4a841216cb...37.exe

windows7-x64

1

4a841216cb...37.exe

windows10-2004-x64

1

4e180437ef...a9.exe

windows7-x64

1

4e180437ef...a9.exe

windows10-2004-x64

1

Resubmissions

07-09-2023 14:45

230907-r45fysaf5s 10

07-09-2023 14:12

230907-rjbyxaad5s 10

Analysis

  • max time kernel
    142s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2023 14:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe

  • Size

    164KB

  • MD5

    5117dc6337d71e68262ddc6124ff1b33

  • SHA1

    41890b9a7043d3d6300ed2a128425f321c69ea0c

  • SHA256

    40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04

  • SHA512

    71534faf779387a35e28f64d26a8d032c93f4273a30d0102ac8265399f198c9dbd119ae1e186d902ebd5b19e0c57094ec171bc101d5c073a75346f62d17fbc8c

  • SSDEEP

    3072:9fg0NBlu9CNTed7/kBazzFbULRU0pNa+eGfiN82R:9Y0NvuUN6F/M4qtXpNHE82R

Score
10/10
sodinokibiransomwarespywarestealer

Malware Config

Extracted

Path

C:\Recovery\o1xf2r4269-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion o1xf2r4269. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0CD84EC953F2A1BD 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/0CD84EC953F2A1BD Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Cc0zmEAhlbRTlftjL8rX3SNUppQkhGKjAJQ9x4CSGYe5/TjCpff3RioZTjlO3lH5 MfxnUOkkAfhyogEGtRqoXbDyIAAelBhvZ+84eWlvbs+Y8mzN2G8ALbHzGEkkGIyx 0tgvAS1wVN2XNdlor+KENnbz6ok6gXXkKr572Hzu59YUhOIiPRN60V/X8zNdm08j eTK2xPP84a/aEin1HwaAB7OgCYNLvOxe220IHGv/gwEkYOKuMpb2iJeQpHaJr1i3 quRzPijM77eX4vqqZG8wEXf7Bt1UEvcesTBxkOQaP1m19ehGQcrsN2DTU+wiHRSl YmM5+AbneJBT7Ox8JMXQFfowNOT6sbhLJDhJ5oJT7Y+38m167BVrsRiUvHdUmuJZ oY/sBao+Qm8yPB0aK9u8j3kRJRra3YkMcLWrN7w+mJfcBsMu9gvODgLJ1u4GX8Pi fZuIubefViky+f7tUW6HVBp6R1wtogKaQ2Ak4Y6jtwJ5D+5o8CAhGJqq1l/s6aN2 jrjyjTpb6j+O55uEMmckthgG/9Dsy6zosFxddji1lNgirfA+gBV1LqXcfuJsyzqX oD0pLlhgKi9yYcojANDgELvW9O1NOCudsCkop56k3NeVPnT5LedrnZrPKCff6Otb 6NyuFBxEMh7zwcj+36F1dMvI9kvg0lCHTpT+6YFW0lyAyWAhAlwcepMMjRoCQDBJ rvQfetBOiZquxqRdAsmmsWqdZGwm8K5RGlkcD79tHh2CU8GFw5UFJr+eRwhuYzLm AvYVJMK8dkBEwmre5vEhfOiUzU6Ohr8nKmTM7bBLekylgz7nC0TkoO+HwdyWkrVq n+6YETkZJuj1CyVou6WdD6d+pxSa9KIClnzKX4PpF5T2zfEa6modWslbEH4ocBBm f4ubH/SWr/RJCGf5dq9eaRaId/wp7cMvlUiIok9MIuUKFjuGegPGYTdhO3PyDqSe 09Z6K5Yk43JsrMDq6nbROwSYs0duBpWEGi0sv98V7Puu5Ci3QVrgdcs4phTmNTdI EGiSsIKl05q6SBLcZv/p2MQDnPuL4UGVpm1Yt5SLjfl2Hojdc2GHVR+y6l9oStKm 1QQeXRpr03WqWysC1+Z2TFBLeEUeAVHVs2E0hESILqrYYuSAH5zFhWDas4sbuAuH +IAb0P7d7wonvDgnOtStns6oewp77GIiW0Q5NByEjCEud3ZMyuXw34crNWXE4qmP L3fqLUtoFN5V8j96OGyiG5A3AK93wQ== Extension name: o1xf2r4269 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0CD84EC953F2A1BD

http://decryptor.top/0CD84EC953F2A1BD

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe
    "C:\Users\Admin\AppData\Local\Temp\40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:492
    • C:\Windows\system32\wbem\unsecapp.exe
      C:\Windows\system32\wbem\unsecapp.exe -Embedding
      1⤵
        PID:3608

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\o1xf2r4269-readme.txt
        Filesize

        6KB

        MD5

        f7d4cff34a384ef83b761df7edc1ed72

        SHA1

        ae40dfac3498d4073bbf982fb06b945ad13e861f

        SHA256

        8e3862de7789914b7997a83f2883b744c78963e7ea3341fb19288d0bc75d41ff

        SHA512

        fa158c1fae272c5fa54b78127caa8c4bf6f086b9e5bb89950600e3c062477f9a1f0d88ae744bf2e89227b4808f3bcc1b895b1ff142a89b9f5cc313d8aae06465

        Download Submit