Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2024 09:35

General

  • Target

    6cf72f5fcd8496749d957f99e8b7489d.exe

  • Size

    12.4MB

  • MD5

    6cf72f5fcd8496749d957f99e8b7489d

  • SHA1

    d1c46bad88255b82ff264f821bf3476f49f07fbd

  • SHA256

    5edbbf6443f06a4c257794934ceccddef65cbc68fd0e779a11b1496ae9e51eeb

  • SHA512

    1e80729c3e3aad324f24c2dc2381833ba8066b471b4f46f8bbce13f7cdea66adcd0a796ca072564a820feda0aa29ce0de45fcee2115ba0d13cfacbe0f7e481d2

  • SSDEEP

    196608:0tObbMT9U95PXZYYFjsQ+YIs+GgALUMLKz5rETUQRUlMCBaKszvo7vsmYbG852K2:b95PX9uQ+dSez1+a9cfzveUmzzaN2

Malware Config

Extracted

Path

C:\Recovery\zzrd1r7t1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension zzrd1r7t1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/053DF435027E8978 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/053DF435027E8978 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: tkAgWQ0DE1zJRIJAfZ20q4HpvLVWIePaS/ndiYfuseb76Ir7xpdP8bOdvBCsi6U/ 2hYbpskcpJC4Ki2mPDf0nPn23VIapR7cruuDYGsxK655MfrZ5ksxSXb5Xr9hLgGy HOVypAdwMCaaEwOwgds4v17UnnhER9zcFTYd7WN9+SF0ITxHGCU+qj1LV+SDOrm7 uGGRPZgrYolYAw8nElD6vZPBtlm1F03mytpShxBC1dbinZTHTpqHevp0DBhQDHbm g2pFFAW5pRKY3MwrupHPKvLpFZaoq4HUnJD7SG8zDykIHFxxKzNY0ZiMSXF5sbMx iBDBWmeVqbIGcTJIsrgdCvhQdfmwMeADJ5Llj+AGUYf7Q79SXzAjZJrBM4Fmq7y+ 0ULtKbQH8diOyUAVGK3zaWT0AEFpJkriXTZYXR4ng1iWwd4m4Wz88wJgwLw8kKda KhmZttwgb7pNrdM/VApRjnf39HxnEDqY9WpYCHth70y0vpdHK1wbliecKlfvE+RM mv4iir95idqWFsj8TAaNc9XdFwY+lmirOLE04s2CaxGkS65XgjgNbB+Evij9BvGy sunefl/tAm4Orn2mprMQ4t2EfayItYLt5/QqEzmIXeu8C6Z7PHGMjcnZxftEDVi/ i2w2D7c4yU1GcS6LXcS3jBvdfpZTCRY3J7C+ZrfszUVVe50m340Q4IPbDVa+bTUP ofhJQtzsZQbLGxWkubKsYlY5/1eN1SoNImPHEak7RK/Hr9LU6rWui1PlGoQBX8hX wiVcs7tGYdQPp5LdE5C8YnTuZsLlDCpEUdMS8ehasWDUChPPI6Sj8ZRourVzwySx KcAud5zjrEyILSTBffmrvqH0l7Cd+SlzpGlWfAlbWPZIHZXy3VPdsLwM8XFAXkTB dgCBsOF5hw64W5m/GZ75fSgLJw7c1YZzxt3DEJD5oTxUyH2hcnR3nnk6VlQ3gKro eXG+VmhrOj+bZPbP9KjCto6F7exDeerPPlB7UW+JNOHKLSVvRhifNgqUs8LLSWm+ Nz09Ex3Wp2J6McHr5XBCL93e1g+U9uEQpXhxCYcGE8GDTMcW6LILWv4yEmK+0aE8 zJUoostRft/fb0Dy0chPnB4YwtcUkHCLef6y/inNnn0RsCf8uGYjgAT4XGRMKc8E KXHOujoNNG4Merl7bn8a/aq+5Vf4V/SaFPyDPreGp1ELCxPRFpZsoFtcTNfkaDWV bkQfrePY77igUppErjZNRKMYmvFDQORrP0rYOD1rL1hXD77Yh+xVZ481r6IV8+PV DFQJInfuHT8ltB/enCippyVPsNqXEBdhmLIoG8pOxPumOVHqnGotTZ9gtvVceOd1 VPwjerTKHSAs22j4bSE8nKpPj8OdEmYOfffPc0uA4yALqA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/053DF435027E8978

http://decoder.re/053DF435027E8978

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

  • Babadeda Crypter 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe
    "C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
      "C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
        3⤵
        • Modifies Windows Firewall
        PID:1316
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4204
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5292

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\zzrd1r7t1-readme.txt
      Filesize

      6KB

      MD5

      a768bf80055e28460b404a527e1191d0

      SHA1

      12327fdca3c69cf496e8f3b3d8116a0434a3bcbd

      SHA256

      1c150b9cb8463635e19852bdd0bbff2281c98642ead4aa95d364d246aa4049f0

      SHA512

      1c0edda16974a90e82abae1008d8551c7a027ed293c58c4333950f7a04250318687ba755329e51d7ea614814421cbbf463c2d39b36f4ea11d0581dc7f5e639d8

    • C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp
      Filesize

      2.3MB

      MD5

      3cee4866f4be8aa2d1874953f1ed82b1

      SHA1

      fd3d6d890d104d00e6ff54ad2cb498ac6ea16c97

      SHA256

      42a3880731d9a79a0c3c7e5c54f6b44583d9ac7c826ffd000f21e42827e911d4

      SHA512

      d312fbadf17d7b9ac9c31c87d984b4bfc290350a0ae07cd784ebb80ec5d1ec5e7ab5b6a9dd205d795b0a65d4c4c62c2f1e8d6f494cfa8501a8865efaa3e7a24a

    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\Help.xml
      Filesize

      297KB

      MD5

      3f517c15e8b924be1ab285723de6fbf9

      SHA1

      a89c94cddd6247805b62314bf5f93b0ef0e24b4d

      SHA256

      b53e6b3f1308152656ba75fa329264364d52f86dc0b21992f0441831231de1b5

      SHA512

      45156505decd0cd53dc9bf2575717e566fdc7ed239ec2d1233ac629f56b228795949bdae5533e3ec42b96fb1c5ae503133d6a32dba08a9e8744a0a3c59615af6

    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
      Filesize

      1.2MB

      MD5

      e87ba29ce7cce2c4b47b457e6aeb0627

      SHA1

      3e1b0310d35f53810b708a32bbf82e98df2b81db

      SHA256

      24d7f0fa99146f608c920deaad20039c25b11d7b309ad53139a18fc3c7e8249c

      SHA512

      0e58cfefffcd576f2520c3ac76808d1871c9c2dd5562d24d6889e9d7a8cb9573b5906ee15824a5042dc3f6a63bd934d6718a091a839c529813fc71f31b41401b

    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
      Filesize

      1.1MB

      MD5

      41506e2515428be8a44da2fbbd440657

      SHA1

      361553936ee423b7e170111d7fd3b67d119fbdba

      SHA256

      9b7fb441def61bbbc6630856c3fcd9ddc921d2add8924ba6df9592b3f586f706

      SHA512

      7487d3f06cf2f280e25422e8f22fa8738dca2d89d1c71210e55b4759e422645bfc8a63cac2de258626d7329e25ddd0b9dcb69896ea20b56832fb5530f2bba974

    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
      Filesize

      709KB

      MD5

      38ba8cb4226ec7b129b4463fd0bf319a

      SHA1

      6166e9a11a38fef6a197fcaee7b61dfa27976858

      SHA256

      caa362e600619f3d397a44380e9171b43975f4cf3dec54e577610ee070f97717

      SHA512

      6dbb93618e9ace27e3010e2291e420a8ff87d1449cb5a7ebc6f238c1d117c4d8b11397efd9e478758892055975ac5a73e849f61fed155cb366df523d2b07b7b1

    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll
      Filesize

      842KB

      MD5

      dc411c4643dad59bfe5d3a19b775c9c9

      SHA1

      ed99b3357a71c05253f15778c3e37d5372055916

      SHA256

      f3d6d04613c604b04bac46abfa2aabb5f722daea66c29635bd4e0bf8cf839b5c

      SHA512

      5d808f968c3a6413884fd619023e61baa5c5294cf79376e8294f709265d726d828486ac2110df7be77f60f70074ce0ec4298f0c11ee067bce2b7920196f2b428

    • C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll
      Filesize

      1.2MB

      MD5

      059880106001e05cbf02a9a305697db9

      SHA1

      ccf208bcb7605138d1bd5f8b0247183d6c649b88

      SHA256

      ad7dea1811b4f86fa88a697fa84688f9b3b7cf80ee521480fad560821031047d

      SHA512

      cb43b07790dff0e6de3956c66513ea793cfdf2f82db2b741e08cc9fb07fc35e5c0be4ae5e7795985fc8deb28f069a5f199c492fea87fdb4790b5eabd16709a5a

    • memory/1160-429-0x0000000000810000-0x0000000000FB8000-memory.dmp
      Filesize

      7.7MB

    • memory/1200-428-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB