Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 09:35

General

  • Target

    6cf72f5fcd8496749d957f99e8b7489d.exe

  • Size

    12.4MB

  • MD5

    6cf72f5fcd8496749d957f99e8b7489d

  • SHA1

    d1c46bad88255b82ff264f821bf3476f49f07fbd

  • SHA256

    5edbbf6443f06a4c257794934ceccddef65cbc68fd0e779a11b1496ae9e51eeb

  • SHA512

    1e80729c3e3aad324f24c2dc2381833ba8066b471b4f46f8bbce13f7cdea66adcd0a796ca072564a820feda0aa29ce0de45fcee2115ba0d13cfacbe0f7e481d2

  • SSDEEP

    196608:0tObbMT9U95PXZYYFjsQ+YIs+GgALUMLKz5rETUQRUlMCBaKszvo7vsmYbG852K2:b95PX9uQ+dSez1+a9cfzveUmzzaN2

Malware Config

Extracted

Path

C:\Users\r114f-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension r114f. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/74334F7798F6E8BC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/74334F7798F6E8BC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: pFIXgTUPe5I8Gq8Q36ssTUJNDlqDG6CFNsRNqIIG/QGmalRxTG6wB14AVEyUrNp3 06HZvEa1M9ODp8P03VXaxTAzJdCvoBuCuSqPt12t3YuxHkZDJ12JTPZsmj+Nd7EB xxNVNwGmYkeHM3gs9f9pfhZYV6615XngE54zjY9xx6vXAgPMC2txHUcoT+fYoJhP O/0qtYHNSiog8mFJ8OdeWiECmdjwP+tbyzKwPiutw2S07GOrbfR7RD/fgVInw4f7 9p1vjQiG+Bfg5xZzEzxvqZAQbginXxZqZlQMlPiU9xdoIAk7eWAZZxlnYX+lGRl3 Qd0waj8ADZqUqv2dO3Qj8itJSGd+Ts1J16TQ0VuwCr3F6lhBRNoHL21ES+RWw/zX u4uXvLA80NP3i1t1lJ+f1ywXKcCe8cuTIb0ToX0H72p3Lo7NjXz++vAc8kIKnV3S SOT1P40iqNAKjMI2g2XQSr1Q4s2eUvkx/Rv+hrFDkepx2Cn10wmPs8R+xGag28c4 iN7ti8ey2Rucz74I866zHu/3J03iQy0PuQGKmX9UkGLhTlJzC2hSoxwPtZ8HFlsr JF2wIP8Pr7aTh7kAeGZDIsUFZkYSw2yOO15w+JjrPYL2bPd5O7EmV9hyos1dV81C r5v3zqn3tswT6Srm+jQoTCl9m5PMxoSPkSYO/YwSTFMbzCdFqfBg4pZ1hg+TKq2h um1Y+5iHUxFCxwXQq4hn6Gr+zFzPK98sMRYlZxlJZtB86iZBL/JNIk3stTiA4/Bs Osi+fNd694DY0Oyax2A1W5XdCSJVdb5IAS4f7geGa1V3J9beNWCiyYVD4egch1Xu ZHt8jB7IMgSHxyvjj7z/ucoBY0nt/r5b3KAs+HGT7kw/cbhSKHb33LtAgzK/BThh 51+qV3yM10F6TRqx55H/zTF+Vo/5G+lbw6O3ALzvMlwRGFnPp4LYknkto1zDkUJI SL53CaH5Ufc+TscKpuICey16qPHCLGplS+w1/e57C1DXNJtdDakDd7kie+yQfo2p M/uUue9Fi/VUDByVVswTBIgD+iV6bQQs1pNaAQ9ZHTl78DQ/4Sox1Sp0BbgRbwer EdDzTQpqGUAXls0w4K3uYpPoYUl4MnfeewB3D5kR88bAJ8YedibzxL13eVZEigBk LDtA74SK2XGqn0qixBc//wYmgwm+d6xOzF05pJjgyY00Qm/9gxkqzS7nx6spyUVK 8ZEzEqh7usCKvSKv1oMSQi+tX1984WOAlHFtX588QrH9Ay2QkHtoK9XbWWg4qjW+ CsFFWl3r8n65lHxXGxv2oa7VoI/m8YI/aLSp4Fon04GIeT83X9sg5XfgVWNqulwB k9+F6AN9hHQq0R6RuNzFDGWZ+S8= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/74334F7798F6E8BC

http://decoder.re/74334F7798F6E8BC

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

  • Babadeda Crypter 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 44 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe
    "C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
      "C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
        3⤵
        • Modifies Windows Firewall
        PID:2692
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1604
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2492

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp
      Filesize

      2.6MB

      MD5

      64edeea9d5b5bbe49b4c22666353ee60

      SHA1

      b312e5785ea31da217f1858820555856e4393466

      SHA256

      7cb61a6fbdab9246b7ea368895a4cd928da5d3c61371cf14f3ac2fe39402f9db

      SHA512

      34189dfd28ec90e52f5ef4a6e92ee75b8af7ae04b9592324dcce740fdfa2652e5bdf0dccc712d5922322358f518375d0e70ae394045b0bdb7567ad97839e4ab4

    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\Help.xml
      Filesize

      297KB

      MD5

      3f517c15e8b924be1ab285723de6fbf9

      SHA1

      a89c94cddd6247805b62314bf5f93b0ef0e24b4d

      SHA256

      b53e6b3f1308152656ba75fa329264364d52f86dc0b21992f0441831231de1b5

      SHA512

      45156505decd0cd53dc9bf2575717e566fdc7ed239ec2d1233ac629f56b228795949bdae5533e3ec42b96fb1c5ae503133d6a32dba08a9e8744a0a3c59615af6

    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
      Filesize

      1.0MB

      MD5

      49186898dca05292964da2db3eb23b90

      SHA1

      b29a90983485462127ada8db02bdb2cb862d95a5

      SHA256

      bfcfdf1f04335ad9e99697d7c3cf5f5ebf261dbea68d892f642c1547e3862ab3

      SHA512

      813450c9ec94b131816f7aecf105b46f31a70b9f2c69bf5132ca2586eaf138ea90eacb686a96a0a6e5b42b3534b052ea2d334aeb08a0b440337be1cb09643692

    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
      Filesize

      1.3MB

      MD5

      a8c922bc3e540279effd3f7412a83c30

      SHA1

      b1f26c253a72af772063b6c910c053fe6c8dd2ad

      SHA256

      875bedb03db4f4ae6b70108f4cdce4e783ceaa2b3eff86b1299992be7ec3ab7f

      SHA512

      05670248530198d43f5df0e3f916410e0fc77838c0008440cc2ed0128041b51fe52486694af58be276ae812a96d2d0d72f23a23b5c39d808369f64a32bc028ad

    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll
      Filesize

      904KB

      MD5

      5a68fd557132bcbf3f9bb80124b84d42

      SHA1

      fd466abe54eef900288a7dc306df1bca4d378adb

      SHA256

      324d933119931529d77e9517f4e5634dc4d4289ddeccf89051a7451cc0bd27a0

      SHA512

      a89fec0dda2ec7b28917fb136df7ed7e9e4802eafafa7f78e152f8ccb15cc6503b1729ce59f346a4fa8173d0bb9606d11d47d01908872c57cb9fe1b0bdf7fc33

    • C:\Users\r114f-readme.txt
      Filesize

      6KB

      MD5

      37d5ab65c80b0f454a8069114eed7f51

      SHA1

      42ca02f25b402ff48c526edb91eb192ffb72eac5

      SHA256

      5a22c6d02cee6c116bfe198b82eed0bedcce40cd998efde538b21268c6a453fb

      SHA512

      90238cd1502e2f9ab8b8f1605eb8b6167786238d906f7d55b84b4f17e6991c3aa0a79515679370a6727422f12661dcffcbb338dac0f8c9513b33253ed4cacea6

    • \Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
      Filesize

      881KB

      MD5

      55a168591b68d1b1fa8af89afa4c81a5

      SHA1

      31db0c6178cf09710ddb9bfc5e1f15584b7cf401

      SHA256

      25449d5ff157eee41449559913721f1a23a7ca4fc427f141a4adc5b0a473d112

      SHA512

      29795bffff93b57e37971af5239efad6d7007ca30ec94499681a5e2c192626cc6cf7ec49b096ef30b5cb910ea30d6df9d007c2259afca97fa921ad771f7de11b

    • \Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll
      Filesize

      1.1MB

      MD5

      f382cc5361fde9d0155cb417f1fd08ea

      SHA1

      da046912f69fa7cc8e517bc4d1782656c84fd601

      SHA256

      63ce6b191ff646ecb295c6018665c663e8253a58bb933f11ce66be6afc4d442c

      SHA512

      3753ee46865ec536e4915389ca5194768719e4e915b06b9ba1721eb2b55d4216053ade2a4fb4b43013f1bb6e62ab7f8ced7ff917c84872a03d972b5cbffa4324

    • memory/1884-423-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/2268-424-0x00000000001B0000-0x0000000000958000-memory.dmp
      Filesize

      7.7MB

    • memory/2268-428-0x00000000001B0000-0x0000000000958000-memory.dmp
      Filesize

      7.7MB