Overview

overview

10

Static

static

10

81689f1be9...ed.exe

windows7-x64

10

81689f1be9...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2023 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe

  • Size

    115KB

  • MD5

    7e18b037a068c56417fb8e56aa7e49e8

  • SHA1

    f6739569a24358c8c060d7131be70712f70f36e0

  • SHA256

    81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed

  • SHA512

    d6188e5536b6e0b5c49d572e35155d633c11fd30bc8d4bf4ea87fea7196ae2f67bca364a0afaeed8209e5d4b2be0b98d81c49293d3fed95c70c8388b8387899d

  • SSDEEP

    1536:AkdeUcaK8Qz4PQIUnq5WMrAmyopACC9ICS4A0vh4NKwTNA28V5/Ogsck:mlnXEXyk7yvh4NKwTNF8V8v

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Recovery\1793ouh-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1793ouh. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B249DB43754DE2CA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B249DB43754DE2CA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ECgNd2nc3jlyE+x8NWvoTFAkZAVTKSrSHyyQYXpVBn8Oubg2/Honftn3wJPEccLW 4yHqnIUMEpKkVZrfHlQD39rR5P5QA4vIqQtMlF0NesXCWf0p9xfl/9yFGjlECaUb iq103IObTXg9bTT0B9yRiF/ED9oHLreZhUvG0ZdzC3AEROli6eAu3CxChsv8/OF5 bxTv3GQgWmt/7VpFTYAA0mrG0D76WtUTOacmMEluv4j11ZaTva3lUKMJamUPDJss n/mH5MwLCy8o+AYM74ya6XKDTXjLOfC52Zitp6RHLLmeTsXm/PWpMCQGhb7oQ70W Rhk9OEP76O94N0fiZK6OiPJSQWHBkwVzVH3fv3blbUhHGby4DYV26dhhJgvc9YHz qS1opWLz1LWS/Tql3b/MiVA7SHngKEd/w4XIN1P23ffJZGzZHwsqC8lmxajYf9UE 8OIlKrXiHsqFhWJRQq3J2CrL8w2u2zqKIbXz9lW9ymg6qhWIHNyPXNUdjTZwPiSA 2p8GemvI7+cHJYZwVPlPJSwFis9GsbmxVbVyS5hhslKMQzQbFqdHAqLhczYXJ0/M szD8IV8iWQYn7+1Z1JHtN8WU3mS3saCFyHSU0//nmJs0+EvQOjc/qiKAJp//VkzB 0TeYj64YHGWZEvt9GGghxJQMXEiN7wJ9XjpO1+teAWszP1ChBi06qrs71VYQgNcN qkyy7WOfnfgIxlPZRlePGsxPn35L//ziEWmgFQzpfDUpCXHzzDT14rDuaaOzBOUA I2VYxQkBiOoxHi1A1GmcorvzeUear0CRCrkeJ7uaFpwPlNamFoN9BIzRYqqo75Vi m7K+PJiiIlZXM1Z+1hi9AByFbDWPOfjG2FUOOluWyA5amOUz6acmJppUIUwAmIrv lzTDsqgUEqfZA2OMVk0JONiEAZc/bNINGBJW5vVE2cyqGO5SSkT6Vxo2B0L2Hmyq m2mAt/iEvmjAuq+7kp2ClGOFhGf9wcMv85TIiQ81Db5zxBw3VAMXBvJ/Tv9kXtVw Ddx8pGey0BdhzAUEkOWxxUU75TuSJV9vw+iJeay7WAPDYcZETytVqWHUGmLuCuHz /OpkZXTcib3onPv4uCobikZf8uf8Ir88RCJVWiPCoEN3O7fc6H/vt8i3PazmCStd sUlMmx/i3NrVd3Hm/cqHE750NGsI/TjdfXuPidl9ZPgxeXh3qRT23HOtLZ4j3tj8 SJIL8a21VkZHBSR2An5DC7GsTPpJQ/ugtAuzlbzK+OBxfBuyqzImEA1xiB1V7TLl Bp6CjJ6CGAtFRi6lmySs6G8kum34RAH7SrtjU06AfD4FpGs3aNBK65Oqmurguw8C 3ntXaQ6DRxL7MC6TIoYGuw5yv3US48ybbbjq3iN7jkLt5AksaQ0ZUA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B249DB43754DE2CA

http://decryptor.cc/B249DB43754DE2CA

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe
    "C:\Users\Admin\AppData\Local\Temp\81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3720
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:3020
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3640

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\1793ouh-readme.txt
      Filesize

      6KB

      MD5

      b84b24469c533cac4cc9743575548a24

      SHA1

      43a1343e1f2e2575616a367c604b34c8c0977a68

      SHA256

      a9d36b3d6cd413b01e1af4df3e2c5af328ce7450390de1bd7aa65636e1becfcb

      SHA512

      ecfbf01f40131267f7d4c01a7819341c66f66cb2d9ef9e4a870550492a41bf620372f071053df0a31660237a44f593ead6c367dd57722ecca4618ff62190f0dd

      Download Submit
    • memory/3640-447-0x000002A11B740000-0x000002A11B750000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3640-463-0x000002A11B840000-0x000002A11B850000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3640-479-0x000002A123DE0000-0x000002A123DE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-480-0x000002A123DF0000-0x000002A123DF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-481-0x000002A123DF0000-0x000002A123DF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-482-0x000002A123DF0000-0x000002A123DF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-483-0x000002A123DF0000-0x000002A123DF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-484-0x000002A123DF0000-0x000002A123DF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-485-0x000002A123DF0000-0x000002A123DF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-486-0x000002A123DF0000-0x000002A123DF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-487-0x000002A123E00000-0x000002A123E01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-488-0x000002A125000000-0x000002A125001000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-489-0x000002A125000000-0x000002A125001000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-490-0x000002A123A30000-0x000002A123A31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-491-0x000002A123A20000-0x000002A123A21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-493-0x000002A123A30000-0x000002A123A31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-496-0x000002A123A20000-0x000002A123A21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-499-0x000002A123960000-0x000002A123961000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-511-0x000002A123B60000-0x000002A123B61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-513-0x000002A123B70000-0x000002A123B71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-514-0x000002A123B70000-0x000002A123B71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-515-0x000002A123C80000-0x000002A123C81000-memory.dmp
      Filesize

      4KB

      Download