Overview

overview

10

Static

static

3

6cf72f5fcd...9d.exe

windows7-x64

10

6cf72f5fcd...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6cf72f5fcd8496749d957f99e8b7489d.exe

  • Size

    12.4MB

  • MD5

    6cf72f5fcd8496749d957f99e8b7489d

  • SHA1

    d1c46bad88255b82ff264f821bf3476f49f07fbd

  • SHA256

    5edbbf6443f06a4c257794934ceccddef65cbc68fd0e779a11b1496ae9e51eeb

  • SHA512

    1e80729c3e3aad324f24c2dc2381833ba8066b471b4f46f8bbce13f7cdea66adcd0a796ca072564a820feda0aa29ce0de45fcee2115ba0d13cfacbe0f7e481d2

  • SSDEEP

    196608:0tObbMT9U95PXZYYFjsQ+YIs+GgALUMLKz5rETUQRUlMCBaKszvo7vsmYbG852K2:b95PX9uQ+dSez1+a9cfzveUmzzaN2

Score
10/10
babadedasodinokibicrypterdiscoveryevasionloaderpersistenceransomware

Malware Config

Extracted

Path

C:\Users\r114f-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension r114f. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/74334F7798F6E8BC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/74334F7798F6E8BC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: pFIXgTUPe5I8Gq8Q36ssTUJNDlqDG6CFNsRNqIIG/QGmalRxTG6wB14AVEyUrNp3 06HZvEa1M9ODp8P03VXaxTAzJdCvoBuCuSqPt12t3YuxHkZDJ12JTPZsmj+Nd7EB xxNVNwGmYkeHM3gs9f9pfhZYV6615XngE54zjY9xx6vXAgPMC2txHUcoT+fYoJhP O/0qtYHNSiog8mFJ8OdeWiECmdjwP+tbyzKwPiutw2S07GOrbfR7RD/fgVInw4f7 9p1vjQiG+Bfg5xZzEzxvqZAQbginXxZqZlQMlPiU9xdoIAk7eWAZZxlnYX+lGRl3 Qd0waj8ADZqUqv2dO3Qj8itJSGd+Ts1J16TQ0VuwCr3F6lhBRNoHL21ES+RWw/zX u4uXvLA80NP3i1t1lJ+f1ywXKcCe8cuTIb0ToX0H72p3Lo7NjXz++vAc8kIKnV3S SOT1P40iqNAKjMI2g2XQSr1Q4s2eUvkx/Rv+hrFDkepx2Cn10wmPs8R+xGag28c4 iN7ti8ey2Rucz74I866zHu/3J03iQy0PuQGKmX9UkGLhTlJzC2hSoxwPtZ8HFlsr JF2wIP8Pr7aTh7kAeGZDIsUFZkYSw2yOO15w+JjrPYL2bPd5O7EmV9hyos1dV81C r5v3zqn3tswT6Srm+jQoTCl9m5PMxoSPkSYO/YwSTFMbzCdFqfBg4pZ1hg+TKq2h um1Y+5iHUxFCxwXQq4hn6Gr+zFzPK98sMRYlZxlJZtB86iZBL/JNIk3stTiA4/Bs Osi+fNd694DY0Oyax2A1W5XdCSJVdb5IAS4f7geGa1V3J9beNWCiyYVD4egch1Xu ZHt8jB7IMgSHxyvjj7z/ucoBY0nt/r5b3KAs+HGT7kw/cbhSKHb33LtAgzK/BThh 51+qV3yM10F6TRqx55H/zTF+Vo/5G+lbw6O3ALzvMlwRGFnPp4LYknkto1zDkUJI SL53CaH5Ufc+TscKpuICey16qPHCLGplS+w1/e57C1DXNJtdDakDd7kie+yQfo2p M/uUue9Fi/VUDByVVswTBIgD+iV6bQQs1pNaAQ9ZHTl78DQ/4Sox1Sp0BbgRbwer EdDzTQpqGUAXls0w4K3uYpPoYUl4MnfeewB3D5kR88bAJ8YedibzxL13eVZEigBk LDtA74SK2XGqn0qixBc//wYmgwm+d6xOzF05pJjgyY00Qm/9gxkqzS7nx6spyUVK 8ZEzEqh7usCKvSKv1oMSQi+tX1984WOAlHFtX588QrH9Ay2QkHtoK9XbWWg4qjW+ CsFFWl3r8n65lHxXGxv2oa7VoI/m8YI/aLSp4Fon04GIeT83X9sg5XfgVWNqulwB k9+F6AN9hHQq0R6RuNzFDGWZ+S8= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/74334F7798F6E8BC

http://decoder.re/74334F7798F6E8BC

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 44 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe
    "C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
      "C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
        3⤵
        • Modifies Windows Firewall
        PID:2692
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1604
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2492

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp
      Filesize

      2.6MB

      MD5

      64edeea9d5b5bbe49b4c22666353ee60

      SHA1

      b312e5785ea31da217f1858820555856e4393466

      SHA256

      7cb61a6fbdab9246b7ea368895a4cd928da5d3c61371cf14f3ac2fe39402f9db

      SHA512

      34189dfd28ec90e52f5ef4a6e92ee75b8af7ae04b9592324dcce740fdfa2652e5bdf0dccc712d5922322358f518375d0e70ae394045b0bdb7567ad97839e4ab4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\Help.xml
      Filesize

      297KB

      MD5

      3f517c15e8b924be1ab285723de6fbf9

      SHA1

      a89c94cddd6247805b62314bf5f93b0ef0e24b4d

      SHA256

      b53e6b3f1308152656ba75fa329264364d52f86dc0b21992f0441831231de1b5

      SHA512

      45156505decd0cd53dc9bf2575717e566fdc7ed239ec2d1233ac629f56b228795949bdae5533e3ec42b96fb1c5ae503133d6a32dba08a9e8744a0a3c59615af6

      Download Submit
    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
      Filesize

      1.0MB

      MD5

      49186898dca05292964da2db3eb23b90

      SHA1

      b29a90983485462127ada8db02bdb2cb862d95a5

      SHA256

      bfcfdf1f04335ad9e99697d7c3cf5f5ebf261dbea68d892f642c1547e3862ab3

      SHA512

      813450c9ec94b131816f7aecf105b46f31a70b9f2c69bf5132ca2586eaf138ea90eacb686a96a0a6e5b42b3534b052ea2d334aeb08a0b440337be1cb09643692

      Download Submit
    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
      Filesize

      1.3MB

      MD5

      a8c922bc3e540279effd3f7412a83c30

      SHA1

      b1f26c253a72af772063b6c910c053fe6c8dd2ad

      SHA256

      875bedb03db4f4ae6b70108f4cdce4e783ceaa2b3eff86b1299992be7ec3ab7f

      SHA512

      05670248530198d43f5df0e3f916410e0fc77838c0008440cc2ed0128041b51fe52486694af58be276ae812a96d2d0d72f23a23b5c39d808369f64a32bc028ad

      Download Submit
    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll
      Filesize

      904KB

      MD5

      5a68fd557132bcbf3f9bb80124b84d42

      SHA1

      fd466abe54eef900288a7dc306df1bca4d378adb

      SHA256

      324d933119931529d77e9517f4e5634dc4d4289ddeccf89051a7451cc0bd27a0

      SHA512

      a89fec0dda2ec7b28917fb136df7ed7e9e4802eafafa7f78e152f8ccb15cc6503b1729ce59f346a4fa8173d0bb9606d11d47d01908872c57cb9fe1b0bdf7fc33

      Download Submit
    • C:\Users\r114f-readme.txt
      Filesize

      6KB

      MD5

      37d5ab65c80b0f454a8069114eed7f51

      SHA1

      42ca02f25b402ff48c526edb91eb192ffb72eac5

      SHA256

      5a22c6d02cee6c116bfe198b82eed0bedcce40cd998efde538b21268c6a453fb

      SHA512

      90238cd1502e2f9ab8b8f1605eb8b6167786238d906f7d55b84b4f17e6991c3aa0a79515679370a6727422f12661dcffcbb338dac0f8c9513b33253ed4cacea6

      Download Submit
    • \Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
      Filesize

      881KB

      MD5

      55a168591b68d1b1fa8af89afa4c81a5

      SHA1

      31db0c6178cf09710ddb9bfc5e1f15584b7cf401

      SHA256

      25449d5ff157eee41449559913721f1a23a7ca4fc427f141a4adc5b0a473d112

      SHA512

      29795bffff93b57e37971af5239efad6d7007ca30ec94499681a5e2c192626cc6cf7ec49b096ef30b5cb910ea30d6df9d007c2259afca97fa921ad771f7de11b

      Download Submit
    • \Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll
      Filesize

      1.1MB

      MD5

      f382cc5361fde9d0155cb417f1fd08ea

      SHA1

      da046912f69fa7cc8e517bc4d1782656c84fd601

      SHA256

      63ce6b191ff646ecb295c6018665c663e8253a58bb933f11ce66be6afc4d442c

      SHA512

      3753ee46865ec536e4915389ca5194768719e4e915b06b9ba1721eb2b55d4216053ade2a4fb4b43013f1bb6e62ab7f8ced7ff917c84872a03d972b5cbffa4324

      Download Submit
    • memory/1884-423-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2268-424-0x00000000001B0000-0x0000000000958000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2268-428-0x00000000001B0000-0x0000000000958000-memory.dmp
      Filesize

      7.7MB

      Download