babadeda | 5edbbf6443f06a4c257794934ceccddef65cbc68fd0e779a11b1496ae9e51eeb

General

Target

6cf72f5fcd8496749d957f99e8b7489d.exe
Size

12.4MB
MD5

6cf72f5fcd8496749d957f99e8b7489d
SHA1

d1c46bad88255b82ff264f821bf3476f49f07fbd
SHA256

5edbbf6443f06a4c257794934ceccddef65cbc68fd0e779a11b1496ae9e51eeb
SHA512

1e80729c3e3aad324f24c2dc2381833ba8066b471b4f46f8bbce13f7cdea66adcd0a796ca072564a820feda0aa29ce0de45fcee2115ba0d13cfacbe0f7e481d2
SSDEEP

196608:0tObbMT9U95PXZYYFjsQ+YIs+GgALUMLKz5rETUQRUlMCBaKszvo7vsmYbG852K2:b95PX9uQ+dSez1+a9cfzveUmzzaN2

Score

10^/10

babadeda sodinokibi crypter discovery evasion loader persistence ransomware

Malware Config

Extracted

Path

C:\Recovery\zzrd1r7t1-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension zzrd1r7t1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/053DF435027E8978 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/053DF435027E8978 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: tkAgWQ0DE1zJRIJAfZ20q4HpvLVWIePaS/ndiYfuseb76Ir7xpdP8bOdvBCsi6U/ 2hYbpskcpJC4Ki2mPDf0nPn23VIapR7cruuDYGsxK655MfrZ5ksxSXb5Xr9hLgGy HOVypAdwMCaaEwOwgds4v17UnnhER9zcFTYd7WN9+SF0ITxHGCU+qj1LV+SDOrm7 uGGRPZgrYolYAw8nElD6vZPBtlm1F03mytpShxBC1dbinZTHTpqHevp0DBhQDHbm g2pFFAW5pRKY3MwrupHPKvLpFZaoq4HUnJD7SG8zDykIHFxxKzNY0ZiMSXF5sbMx iBDBWmeVqbIGcTJIsrgdCvhQdfmwMeADJ5Llj+AGUYf7Q79SXzAjZJrBM4Fmq7y+ 0ULtKbQH8diOyUAVGK3zaWT0AEFpJkriXTZYXR4ng1iWwd4m4Wz88wJgwLw8kKda KhmZttwgb7pNrdM/VApRjnf39HxnEDqY9WpYCHth70y0vpdHK1wbliecKlfvE+RM mv4iir95idqWFsj8TAaNc9XdFwY+lmirOLE04s2CaxGkS65XgjgNbB+Evij9BvGy sunefl/tAm4Orn2mprMQ4t2EfayItYLt5/QqEzmIXeu8C6Z7PHGMjcnZxftEDVi/ i2w2D7c4yU1GcS6LXcS3jBvdfpZTCRY3J7C+ZrfszUVVe50m340Q4IPbDVa+bTUP ofhJQtzsZQbLGxWkubKsYlY5/1eN1SoNImPHEak7RK/Hr9LU6rWui1PlGoQBX8hX wiVcs7tGYdQPp5LdE5C8YnTuZsLlDCpEUdMS8ehasWDUChPPI6Sj8ZRourVzwySx KcAud5zjrEyILSTBffmrvqH0l7Cd+SlzpGlWfAlbWPZIHZXy3VPdsLwM8XFAXkTB dgCBsOF5hw64W5m/GZ75fSgLJw7c1YZzxt3DEJD5oTxUyH2hcnR3nnk6VlQ3gKro eXG+VmhrOj+bZPbP9KjCto6F7exDeerPPlB7UW+JNOHKLSVvRhifNgqUs8LLSWm+ Nz09Ex3Wp2J6McHr5XBCL93e1g+U9uEQpXhxCYcGE8GDTMcW6LILWv4yEmK+0aE8 zJUoostRft/fb0Dy0chPnB4YwtcUkHCLef6y/inNnn0RsCf8uGYjgAT4XGRMKc8E KXHOujoNNG4Merl7bn8a/aq+5Vf4V/SaFPyDPreGp1ELCxPRFpZsoFtcTNfkaDWV bkQfrePY77igUppErjZNRKMYmvFDQORrP0rYOD1rL1hXD77Yh+xVZ481r6IV8+PV DFQJInfuHT8ltB/enCippyVPsNqXEBdhmLIoG8pOxPumOVHqnGotTZ9gtvVceOd1 VPwjerTKHSAs22j4bSE8nKpPj8OdEmYOfffPc0uA4yALqA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/053DF435027E8978

http://decoder.re/053DF435027E8978

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\Help.xml	family_babadeda

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

1316 netsh.exe

pid	process
1316	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6cf72f5fcd8496749d957f99e8b7489d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	6cf72f5fcd8496749d957f99e8b7489d.exe

Executes dropped EXE 1 IoCs

Processes:

rimage.exe

pid process

1160 rimage.exe
Loads dropped DLL 1 IoCs

Processes:

rimage.exe

pid process

1160 rimage.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rimage.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Roaming\\R-Tools Technology\\R-Drive Image\\rimage.exe"	rimage.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rimage.exe

description	ioc	process
File opened (read-only)	\??\I:	rimage.exe
File opened (read-only)	\??\S:	rimage.exe
File opened (read-only)	\??\T:	rimage.exe
File opened (read-only)	\??\D:	rimage.exe
File opened (read-only)	\??\B:	rimage.exe
File opened (read-only)	\??\P:	rimage.exe
File opened (read-only)	\??\F:	rimage.exe
File opened (read-only)	\??\H:	rimage.exe
File opened (read-only)	\??\R:	rimage.exe
File opened (read-only)	\??\K:	rimage.exe
File opened (read-only)	\??\G:	rimage.exe
File opened (read-only)	\??\N:	rimage.exe
File opened (read-only)	\??\O:	rimage.exe
File opened (read-only)	\??\U:	rimage.exe
File opened (read-only)	\??\V:	rimage.exe
File opened (read-only)	\??\X:	rimage.exe
File opened (read-only)	\??\Y:	rimage.exe
File opened (read-only)	\??\A:	rimage.exe
File opened (read-only)	\??\J:	rimage.exe
File opened (read-only)	\??\L:	rimage.exe
File opened (read-only)	\??\W:	rimage.exe
File opened (read-only)	\??\Z:	rimage.exe
File opened (read-only)	\??\E:	rimage.exe
File opened (read-only)	\??\Q:	rimage.exe
File opened (read-only)	\??\M:	rimage.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

rimage.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8x3s56lgg7.bmp"	rimage.exe

Drops file in Program Files directory 32 IoCs

Processes:

rimage.exe

description	ioc	process
File opened for modification	\??\c:\program files\DisconnectOut.wmx	rimage.exe
File opened for modification	\??\c:\program files\StopGrant.pcx	rimage.exe
File opened for modification	\??\c:\program files\SwitchUnregister.001	rimage.exe
File opened for modification	\??\c:\program files\RedoSearch.mov	rimage.exe
File opened for modification	\??\c:\program files\BlockStart.wpl	rimage.exe
File opened for modification	\??\c:\program files\GrantEdit.i64	rimage.exe
File opened for modification	\??\c:\program files\PingUnregister.vsx	rimage.exe
File opened for modification	\??\c:\program files\SyncHide.mp4	rimage.exe
File opened for modification	\??\c:\program files\UnprotectConvertTo.iso	rimage.exe
File opened for modification	\??\c:\program files\WaitRead.pot	rimage.exe
File opened for modification	\??\c:\program files\CloseRead.ppsx	rimage.exe
File opened for modification	\??\c:\program files\PingRepair.vsdx	rimage.exe
File opened for modification	\??\c:\program files\SwitchInitialize.wps	rimage.exe
File opened for modification	\??\c:\program files\DenyComplete.js	rimage.exe
File opened for modification	\??\c:\program files\EnableDeny.dxf	rimage.exe
File opened for modification	\??\c:\program files\JoinInstall.docx	rimage.exe
File opened for modification	\??\c:\program files\UnpublishRequest.vsdm	rimage.exe
File opened for modification	\??\c:\program files\MeasureAssert.vbe	rimage.exe
File opened for modification	\??\c:\program files\StartDismount.vdw	rimage.exe
File opened for modification	\??\c:\program files\SuspendConvert.xltm	rimage.exe
File opened for modification	\??\c:\program files\WaitExpand.temp	rimage.exe
File opened for modification	\??\c:\program files\CheckpointComplete.tiff	rimage.exe
File opened for modification	\??\c:\program files\HideReceive.dib	rimage.exe
File opened for modification	\??\c:\program files\SuspendMerge.vst	rimage.exe
File opened for modification	\??\c:\program files\UpdateExit.zip	rimage.exe
File created	\??\c:\program files\tmp	rimage.exe
File created	\??\c:\program files\zzrd1r7t1-readme.txt	rimage.exe
File opened for modification	\??\c:\program files\RenameMerge.aiff	rimage.exe
File opened for modification	\??\c:\program files\BlockUndo.xht	rimage.exe
File created	\??\c:\program files (x86)\tmp	rimage.exe
File created	\??\c:\program files (x86)\zzrd1r7t1-readme.txt	rimage.exe
File opened for modification	\??\c:\program files\BlockTrace.rm	rimage.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

rimage.exe

pid	process
1160	rimage.exe
1160	rimage.exe
1160	rimage.exe
1160	rimage.exe
1160	rimage.exe
1160	rimage.exe
1160	rimage.exe
1160	rimage.exe
1160	rimage.exe
1160	rimage.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rimage.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1160	rimage.exe
Token: SeTakeOwnershipPrivilege	1160	rimage.exe
Token: SeBackupPrivilege	5292	vssvc.exe
Token: SeRestorePrivilege	5292	vssvc.exe
Token: SeAuditPrivilege	5292	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rimage.exe

pid process

1160 rimage.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6cf72f5fcd8496749d957f99e8b7489d.exerimage.exe

description	pid	process	target process
PID 1200 wrote to memory of 1160	1200	6cf72f5fcd8496749d957f99e8b7489d.exe	rimage.exe
PID 1200 wrote to memory of 1160	1200	6cf72f5fcd8496749d957f99e8b7489d.exe	rimage.exe
PID 1200 wrote to memory of 1160	1200	6cf72f5fcd8496749d957f99e8b7489d.exe	rimage.exe
PID 1160 wrote to memory of 1316	1160	rimage.exe	netsh.exe
PID 1160 wrote to memory of 1316	1160	rimage.exe	netsh.exe
PID 1160 wrote to memory of 1316	1160	rimage.exe	netsh.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe
"C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
"C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
3⤵
- Modifies Windows Firewall
PID:1316

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:4204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\zzrd1r7t1-readme.txt
Filesize
6KB

MD5
a768bf80055e28460b404a527e1191d0

SHA1
12327fdca3c69cf496e8f3b3d8116a0434a3bcbd

SHA256
1c150b9cb8463635e19852bdd0bbff2281c98642ead4aa95d364d246aa4049f0

SHA512
1c0edda16974a90e82abae1008d8551c7a027ed293c58c4333950f7a04250318687ba755329e51d7ea614814421cbbf463c2d39b36f4ea11d0581dc7f5e639d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp
Filesize
2.3MB

MD5
3cee4866f4be8aa2d1874953f1ed82b1

SHA1
fd3d6d890d104d00e6ff54ad2cb498ac6ea16c97

SHA256
42a3880731d9a79a0c3c7e5c54f6b44583d9ac7c826ffd000f21e42827e911d4

SHA512
d312fbadf17d7b9ac9c31c87d984b4bfc290350a0ae07cd784ebb80ec5d1ec5e7ab5b6a9dd205d795b0a65d4c4c62c2f1e8d6f494cfa8501a8865efaa3e7a24a

Download Submit
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\Help.xml
Filesize
297KB

MD5
3f517c15e8b924be1ab285723de6fbf9

SHA1
a89c94cddd6247805b62314bf5f93b0ef0e24b4d

SHA256
b53e6b3f1308152656ba75fa329264364d52f86dc0b21992f0441831231de1b5

SHA512
45156505decd0cd53dc9bf2575717e566fdc7ed239ec2d1233ac629f56b228795949bdae5533e3ec42b96fb1c5ae503133d6a32dba08a9e8744a0a3c59615af6

Download Submit
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
Filesize
1.2MB

MD5
e87ba29ce7cce2c4b47b457e6aeb0627

SHA1
3e1b0310d35f53810b708a32bbf82e98df2b81db

SHA256
24d7f0fa99146f608c920deaad20039c25b11d7b309ad53139a18fc3c7e8249c

SHA512
0e58cfefffcd576f2520c3ac76808d1871c9c2dd5562d24d6889e9d7a8cb9573b5906ee15824a5042dc3f6a63bd934d6718a091a839c529813fc71f31b41401b

Download Submit
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
Filesize
1.1MB

MD5
41506e2515428be8a44da2fbbd440657

SHA1
361553936ee423b7e170111d7fd3b67d119fbdba

SHA256
9b7fb441def61bbbc6630856c3fcd9ddc921d2add8924ba6df9592b3f586f706

SHA512
7487d3f06cf2f280e25422e8f22fa8738dca2d89d1c71210e55b4759e422645bfc8a63cac2de258626d7329e25ddd0b9dcb69896ea20b56832fb5530f2bba974

Download Submit
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
Filesize
709KB

MD5
38ba8cb4226ec7b129b4463fd0bf319a

SHA1
6166e9a11a38fef6a197fcaee7b61dfa27976858

SHA256
caa362e600619f3d397a44380e9171b43975f4cf3dec54e577610ee070f97717

SHA512
6dbb93618e9ace27e3010e2291e420a8ff87d1449cb5a7ebc6f238c1d117c4d8b11397efd9e478758892055975ac5a73e849f61fed155cb366df523d2b07b7b1

Download Submit
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll
Filesize
842KB

MD5
dc411c4643dad59bfe5d3a19b775c9c9

SHA1
ed99b3357a71c05253f15778c3e37d5372055916

SHA256
f3d6d04613c604b04bac46abfa2aabb5f722daea66c29635bd4e0bf8cf839b5c

SHA512
5d808f968c3a6413884fd619023e61baa5c5294cf79376e8294f709265d726d828486ac2110df7be77f60f70074ce0ec4298f0c11ee067bce2b7920196f2b428

Download Submit
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll
Filesize
1.2MB

MD5
059880106001e05cbf02a9a305697db9

SHA1
ccf208bcb7605138d1bd5f8b0247183d6c649b88

SHA256
ad7dea1811b4f86fa88a697fa84688f9b3b7cf80ee521480fad560821031047d

SHA512
cb43b07790dff0e6de3956c66513ea793cfdf2f82db2b741e08cc9fb07fc35e5c0be4ae5e7795985fc8deb28f069a5f199c492fea87fdb4790b5eabd16709a5a

Download Submit
memory/1160-429-0x0000000000810000-0x0000000000FB8000-memory.dmp

Filesize
7.7MB

Download
memory/1200-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads