Overview

overview

10

Static

static

10

0c280ffb12...c6.exe

windows7-x64

10

0c280ffb12...c6.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    120s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 12:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c280ffb12537bca109724ec89d1ccc6.exe

  • Size

    179KB

  • MD5

    0c280ffb12537bca109724ec89d1ccc6

  • SHA1

    a8d5d8d5d1b8f288e919fe303787c5e1869ad653

  • SHA256

    a728d45de941ca5730401f224c80fa1dcc2224477e309f5e4a1de8276939dfbf

  • SHA512

    13c15edf4f022f74b3dd57cc203dc5a6bdde773a85ae83df772d536dd4c538ac11415a7c5d8fbb8b39e5e27c52d869a4b5cb19eb7c21c799e4bd8a53440b568a

  • SSDEEP

    3072:yEa2d8CfSXceqmPDu4lPZU/CZtpysa8ustqzhy2Is80nwnyxVps:ACqlPDuGPG/abesYzg2I70nqoDs

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\noc4675y-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension noc4675y. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/32232C0574C06CF3 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/32232C0574C06CF3 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: CJnHCQkbV7ea5DElnypQGGHDFR2fcNKMyXsZqn4TZFTmlONl5ykYLP/pRrA1C8DS oNnh3fHx3j1uAuG6SuqM30PP5gl4PH387FvkCCTayihw4eKtwmSlieF3qUY65RNa GPOnrxLVJMQ+Zj32lM0FplMAzjdf2FaToyQ34/X7BplYIGpyg7xENnS1rxBzXsCg kmMN0cg1vsoeYlihqlFLZNg9lCUXC5YtKJENbFcgKd8AHB7HNJumWnd0DeOaH7wZ U1URklf/S1AxbuRGd2r3EOCPXzDwJ8/lysGXhsSr20oCPRa2DsnNmYVCGVGbOnzt pmGwxbPPfM/YSYOXLKlR10vdUpsXUMCKBW7vB6xAi2lASOeuDx1Fn81vK4Ri9C8S U7hS1k94VsDmN8onvUbE8+DesL/aia1Va3prkNetSIo0Y0uhFfgErMNQZ3UQIy3Z lXwB783jQCDIEVsnyNiKrByuFIx5wXJEmQ3OgY+MxhmIVgg9aQlibXOx4TeHRnR5 TnhjDiDoJhkqQsu1SUAwVzvZWaPVbdncXolYm1mWd6PVE5VvNhYC3xsfl9QwqlSk +11nhMLoDk17tidpzWMd5hvOIX7hHLD5YIz9p0zAJAJipCr0/D2lAXDUwOdB7z9O keqj4HESYQ0TvGkzpqyTSM4N2p4XiNUZZyJzLplzUZVdoaW72kPgFdBFyjlB/hqY 4yYvwQyk6+aphFO7PoCWNbo5DKunllxFOHxNAzZlBsuUhK7rKowfFtvBuX+oRBpA OwY0x0EDP1/cTQ3FkUdC/zBJYyhfsxrDC31H5QtZXN/mcNaraUwrJioe5RzwaD7i L6Pxqq8JEPLu+mt0rOyFKMzgmW8C0tXL8Fzx5Li+3m5WVpBIQvmFynLh+CBM6TPU W2j4sqiA+YPj4g+YnhBjkP/HYGVTUeqI/olO+qK0892Wt7Sdc/JvIqnJOWrBgVfn vq6PJmKO5sSz2tneUd1rvqUsEKrW5FPzJbWjBKQUzzFgfbnghK+sMewrxahrHaxl TjUECgPdIK88L7wQhp95/7pAd9ZWufQp7IHo4Ujtl+AGZJmzB/HoVc3snYmPFZsU VkYgybDgKe44VnR/UO5HNNChF9YetIPDvCKTKP6x3hz0/lMzyaEvMeeyCi/MwOXr +6LLPJcGFt44y0Iz2i1wc7VRaOKhLtxgHH47vIuFPOuORgvg2a3XePQ763jW6bH6 w/5Ui+kQ5+6bhErDtauNZg== Extension name: noc4675y ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/32232C0574C06CF3

http://decryptor.top/32232C0574C06CF3

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c280ffb12537bca109724ec89d1ccc6.exe
    "C:\Users\Admin\AppData\Local\Temp\0c280ffb12537bca109724ec89d1ccc6.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2824
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\noc4675y-readme.txt
      Filesize

      6KB

      MD5

      6f7f0755bd4c5bc71d3a28cd4f22857b

      SHA1

      413ce927b74f067b4f2af53d82985c1edd2746a1

      SHA256

      b415ea0a65e36755a41c50304952f7deeb3d42b13803c4aca4dd2311f4cb712e

      SHA512

      ce6107b408fc5a6e6aea67f442d3aae06f78506aaa6c97a723f42246b501a113b40052dae1bd3829ba2103c868adce1b8003e207ebdf6816f4c187bd3e0e7f07

      Download Submit

    • memory/2720-4-0x000000001B180000-0x000000001B462000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2720-5-0x0000000002290000-0x0000000002298000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2720-6-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2720-7-0x0000000002920000-0x00000000029A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2720-8-0x0000000002920000-0x00000000029A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2720-9-0x0000000002920000-0x00000000029A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2720-10-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2720-11-0x0000000002920000-0x00000000029A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2720-12-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download