Overview

overview

10

Static

static

10

2024-03-10...il.exe

windows7-x64

10

2024-03-10...il.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2024 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-10_eacf011b488ace6141225c656a7168b4_revil.exe

  • Size

    123KB

  • MD5

    eacf011b488ace6141225c656a7168b4

  • SHA1

    bcd593ffacd351a80f87733a685296851ddf15b4

  • SHA256

    ac9b52580980993676677a68e4af90ba54f0a65311916f23aad2d54b74b6fc41

  • SHA512

    50fc88a20a80393ee9bf7d23e23621a89fa14f777233e1bd4c22eadc84482c99b2577ec82c572ff5b853f6c861a3061e17e71da9e04b65a39e1c05aa54f5a81a

  • SSDEEP

    1536:7DvcP3LThpshwVC5OE8yNcCQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxc:y4SVnaNcCM8gnBR5uiV1UvQFOxc

Score
10/10
sodinokibi$2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr
Attributes
  • net

    true

  • pid

    $2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

  • prc

    sqbcoreservice

    dbsnmp

    mydesktopservice

    outlook

    ocomm

    excel

    mydesktopqos

    isqlplussvc

    onenote

    tbirdconfig

    msaccess

    encsvc

    infopath

    steam

    thebat

    agntsvc

    sql

    visio

    wordpad

    winword

    dbeng50

    powerpnt

    firefox

    xfssvccon

    mspub

    oracle

    thunderbird

    ocssd

    synctime

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4085

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    veeam

    vss

Extracted

Path

C:\Users\1ik699-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1ik699. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/36157C8A92733831 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/36157C8A92733831 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: iuGEQbutkBvB3fZtI6pnhclUAHI7F5NeCcB1a0QwPU32OUXyGvGV17EYS4WUdcry LRSf28FdP4NoXXIHSgsDvhFBVe+u7R49pHlTS7yL981SJ4mlaV4KCHPw6NtqCbzE QBbcLIt/yPUTaRhXR2CsTIGo2IdwnTWqVRglZ1C9TW0TUpx3TEoLW9P6yYyXtsm6 50qaUCWm9hAMNxDjm/HzvzicmGs81A5QIjAaasfzccZ/AmO5NGwoam4OwqRLJB5q u3absA75iolj3O2Zm7bk9YY1pDzrWUlzbUoKCnGXej7/V0t4WD49GtYcJWseKMw3 UrVwau5Wo1Tym/i85QUYUpJlJ2729OV5wiwmbMPaad/zbHTiZIaWgMX1U5rkfzLJ phJsYSYJGYjIlPkgwHBhN6Kn9wA1dw2S62Y7gKIabOQPy9b9hRBSKBOA9o0XLp06 ilQHRZACNegDssX+b4/KhiauMsTa92NlHvHqCa3UGabHjBbczYztXAmopZR/vgfl o/iTWohKFTDx7ikMdl1NFxqLTxoG5ZOKdfYIRNakGJCVNHe96/T8ZdHNklLL3uhv dzSdWkHqazr6NpxgEzUi/ojbIxYi6IzhmhM2Igilk2ItHgwlxWQKlYyDnagB7Rs4 UEOk5OPacGlSvQKHL4ERrB3M3GEwBYb2o9hFRkH73jbNd9dIyXkW25iujnfjhZRO djUqlSdpZyywtCxK9hMhE6nzvmYOLMU0t+ZC27DlBdESm49SM1TB3rSh0W3pfnKI Z7mvzESa/RufWwcIeGJVVA3MSh08mbxxW1p/Kzi3v3Tzlcxe6wFCm2Cejzd2tQ7v 1lt/s8cGonREoxhZ7ewKtpUT7avd5fQb3BJVDfcEWW2Wp9bAsxadIZQh8iNCmrdw sgOsnrTF2uHSqV6pXeiPOPpVmbgKfKq+eEaGmWWla6BemtEvhoustBah0GRcVOVu 8NcMDyOYrs7pQxBg8wW0u/mMBqtTjJVw4vPtNXmV+hBZAA7wb54nG4xnaGv1l5dC H8xIc/ObLUdK0AxCVQUX1d68MGXy0URrylKav4Yt569ZHINTIcWNbGAiTM21Ux6P oVXeA3BSBoGir96WlCAZvJQ9vcaTWYbNiOrKbm+WCGt4ZH7G05hG0pPpgzO650Qv SBF4iHoSIphrQTJeJceY50ncnptJenH7Uafz28jdibv+wG5+hFkCxtxPTRHPhVyI lwOBON624IojD7QSGihhFgXSXFlVl/thG9GxnIll5yNrNEXJU39FHCa3al1ZmHh8 3fedyVkyCea/WfGfzu6okiafF5SCaoitUZ6jcCowOU6iNZQgHkM3Wconr3PCE83Q eJ13cx6TCDEFtJ0fVSc0/FZJ17xSGFfy0vDtqjxR7pw= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/36157C8A92733831

http://decryptor.cc/36157C8A92733831

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 15 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-10_eacf011b488ace6141225c656a7168b4_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-10_eacf011b488ace6141225c656a7168b4_revil.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2912
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2668
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\1ik699-readme.txt
      Filesize

      6KB

      MD5

      0d49401c546b1ca1b5d5251133049ec0

      SHA1

      14d1ba537c0ee0a6c80e1c540f4f6e73c0b6374c

      SHA256

      a2902f60499a17371ff4a67e8d213daeb5c1d99044af83f72da46bf668a94804

      SHA512

      226f1c15ab026c00a451618e18e9cc46af0a998720fee1efaec5623c341776ef9e847d699d4c01a7d001e8b8351e55aa4def7f636ef487fbc3cfbdcbcf99f963

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabDCAB.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarDEA5.tmp
      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      192KB

      MD5

      a2e581fff3496927d26e315715df752e

      SHA1

      6ebc7b86176171289e372315c8a32f00958bf15d

      SHA256

      7616f49c0739562f66774ab630bf20c6179138712ff3e1742f5701c79a004570

      SHA512

      476003059b34ab281d4a0bd1d1ba38cc4310c32876db43d2d16f5b5196a5961fd3cc139106acc0e6a94699a7c347b737a191e7f7eaae2222f49079ffadd7ab03

      Download Submit

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • memory/2912-9-0x00000000025C0000-0x0000000002640000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2912-11-0x00000000025C0000-0x0000000002640000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2912-12-0x00000000025C0000-0x0000000002640000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2912-14-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2912-15-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2912-10-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2912-7-0x0000000002420000-0x0000000002428000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2912-8-0x00000000025C0000-0x0000000002640000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2912-6-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2912-5-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/3008-13-0x0000000000830000-0x0000000000852000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3008-0-0x0000000000830000-0x0000000000852000-memory.dmp

      Filesize

      136KB

      Download