Overview

overview

10

Static

static

10

2024-03-08...il.exe

windows7-x64

10

2024-03-08...il.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-03-2024 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-08_8be4b3f41ef22c97f04eeb68d490dd5b_revil.exe

  • Size

    123KB

  • MD5

    8be4b3f41ef22c97f04eeb68d490dd5b

  • SHA1

    e94debf303e6b83194e45659a7cb8f26b7ad8519

  • SHA256

    3a592e04fc7c4991dbc972a6e742814156d1a9505b7bc83fcef8c99f96c8b22c

  • SHA512

    926102a46daf75c877f07870f0e0d298518f5699f453d525f946b8eaa9fed3934603cdd6e6f5e6e7c3be8825ebd3cf1a055f119bb7d862a3cfa7ff48cd436617

  • SSDEEP

    1536:7DvcP30ThpshwVs5OE8yNcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxN:yrSVhaNcYM8gnBR5uiV1UvQFOxN

Score
10/10
sodinokibi$2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr
Attributes
  • net

    true

  • pid

    $2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

  • prc

    sqbcoreservice

    dbsnmp

    mydesktopservice

    outlook

    ocomm

    excel

    mydesktopqos

    isqlplussvc

    onenote

    tbirdconfig

    msaccess

    encsvc

    infopath

    steam

    thebat

    agntsvc

    sql

    visio

    wordpad

    winword

    dbeng50

    powerpnt

    firefox

    xfssvccon

    mspub

    oracle

    thunderbird

    ocssd

    synctime

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4085

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    veeam

    vss

Extracted

Path

C:\Recovery\b0xt169071-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension b0xt169071. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D0ED6789EC4EB1F5 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D0ED6789EC4EB1F5 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: t7wO5RB8D69S5gsbnjyucNfZXZE1XC9UHDmIetSMvZm/xkm33D8uC4iMglM+pCPX CIxKmxBmms0dRPSXKjDuznOa8hBewuYxHUU/OKmR47pRVdphjWL0ENEqWYfLAqFi cGFeTX12/JZtWJWGvBCKoQu1mamOCvD675FmiX6Pqq77oVivwfElGVIxGsSFekBo dEmf8eTjGedT/cz2U09aSTOOJRRTwbLS7aBUaPp4Dmfvk285987iDT21y42s62Us tw2VvP/xM2DjKP+SG1FZNY6Afv7JBAdscq8GhKiSkU4JNrugScJCkAXSM+n7OcGN zNAlyfbvrEk3sR7ZJ3LbiV3X5cTPt1YxCjsrzA6J1wiDoJX3c7p0z0zFbf5uN5Gh E1PSzTE6sPvGfMfTsppgAR0gyYwoH6VphMUnQgBmUDGnUPMzXoZ2tHsFtD3n+tcE r5ygnHgcZyJQl1AUB33Vjhy2Trg3u1xJg31iRazhyDlsvJY3GkgSpO3Vb6U9DJYs sDSi/TQJqRe69foltrKNb9keFG0/olMIfEZ9U5njqlmLFwvy7g5ZdcV1+DuSSJ79 jk16PcMo3vxvi7UF/iXC16hnGW5wm6PFsuspv6uvXztnTmWPMdQNdTkPzu65NnWk CYN1wCZtFsgcllJNY4oXkKvadzpS+EhwUxC3UWAeZ6fdTMvuejU4/WDUqIiiAz1O WnC2saK56w59PA2mJWmuQO76NFAmt7PLWbOY1UTElhyPNavpu1OFc1b+sr3Lft2t jiMy/gzEgrZ3aUMAAsCtwWcLDAuNmj9F5+Ky+F2kYiuoA6nxMxSLX7PBrSGzqNZ0 Unr/dFVwdzFSQkpTXiLJx1IBE1DfllKCC1teHgeFeLsrTZLHY5mmtpYbFwMxB3ov Bu43IvzaE2ifXCXVJ2rhY6NY/k9tDd63t/8HHJeF6d3hMwhb02RXoXYrVwM4LlZB wnaQhd4LKpp16DuklG+I2+0PmEz1RVoMWrF19f0fFfxJzZvO87MNKqNEhd0U8qAE rX/ZtisBipzYN0n7/Jrw5KdAJreCt73XTwAn6nThwK4h3EI5hKiSr/I8/+e4e5Fq ZEknOzzF4FbOSLI+Oxvr770m3w/lrrS/Z4EJ7W9c2N8e+iGX46EXkgI7xy24u0wY aLRxt7M6PNwsS1xGhnXBJ+MSaDFvPEfqkxFQYe5xV6qJ1RUzYOnC1hVyZDMm2uU5 m1E6HFvg/f5ecZyhIjnDl0xoe5aHMkiuVGXgZzT/rs3CexydDxRxw/7/gRbjbp6M nz+YgCw7lqIS86PzdiG2wr2gDObxWDe8ofhSa/PFCFfI9L9GCuU+XqedZrXpXyxC 3aOTl9QUQLGa7lTzoSOU5cnI32nk72YgWRZhycqo5HIMVmRndqSARqnu9edRgA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D0ED6789EC4EB1F5

http://decryptor.cc/D0ED6789EC4EB1F5

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-08_8be4b3f41ef22c97f04eeb68d490dd5b_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-08_8be4b3f41ef22c97f04eeb68d490dd5b_revil.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2300
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3232
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2616

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\b0xt169071-readme.txt
      Filesize

      6KB

      MD5

      122c52c9bfbcf0325ea8d0ed2579780d

      SHA1

      63f4d07d152e2a4162eab739e538d0428936836a

      SHA256

      f3a30d0197821970c8829929ed4ec7ecf1227a06939540291320aa2b7c12764c

      SHA512

      360da3490c186082b9f887d738152fb5c08f78c60ddd7e295eb3d7c64ef81c4e7d1922565d9f75a3142d165142f2ee1a899e8391a61126a962c3893d86e89cdb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fzlaarj5.uts.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2300-6-0x0000026E79CD0000-0x0000026E79CF2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2300-11-0x00007FFC4AEB0000-0x00007FFC4B971000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2300-13-0x0000026E77C20000-0x0000026E77C30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2300-12-0x0000026E77C20000-0x0000026E77C30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2300-14-0x0000026E77C20000-0x0000026E77C30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2300-17-0x00007FFC4AEB0000-0x00007FFC4B971000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2780-0-0x0000000000660000-0x0000000000682000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2780-454-0x0000000000660000-0x0000000000682000-memory.dmp

      Filesize

      136KB

      Download