Overview

overview

10

Static

static

10

5d9b75e2cb...7c.exe

windows7-x64

10

5d9b75e2cb...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe

  • Size

    164KB

  • MD5

    17d54fde8f0dca439f4c32a02598e382

  • SHA1

    5eb54861db41b62e9fa296f703f06b8e52d1941d

  • SHA256

    5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c

  • SHA512

    09473f8ad9cd0d614d4a6fed4f7c34bba89f4a3e8cd0a350870e716b1f499d0d99f25ea436b13512094bf2f56178d5f9ffa8c74ad125c4c61e6aaba7b2a814b5

  • SSDEEP

    3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDOVFI0kmit3:ffYWAw9fcUdmwIXo+M9VQHDlZmit

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\f932jkq7e-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion f932jkq7e. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A1FC415EA992BCD7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A1FC415EA992BCD7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: xy+TJ2kNLfBcCrR9h6vCkicyHMnmKaAWvY52te5QuGx3JK8qnBXSwVoKuHL+EZ3/ WvoJmFtHC+MBb6fYLheoDQV0ijvIie2Q2YGS3TMCcwIDQy3DhJi5oKs2xs3gQX3G wM/4T20AuqdDv349VAvhPOq62UKPv1enhT1gb46BWwLXWiE+7BQ8IiSTUpAT7zlY SnbAoudcdbJY2wb1idB0DUKzPxpdOg9lFn3CKMbSD6iQUMeBJpbCDaqlb00qOQCo 1ky56wWVBSk6bhaKTf+1b18iqFM0Cfc2tapJWyKNjc8KXwtrbDAW6E1vlu7EQ/yv 6pmo6D6oNrbflT7rvQUBf4Bf2fg+v307C3FjWgKqhgTAKVGSbl9MxtsIMJqvLBoq wVxAoiVvkCxsAVV9/9El7MwZwj6VhMvxSuWNE8cmfSVvYjv/tGwd5Wm4CMpLaTxw PEuVU7IzFZl+1aEby1uQKvlLRUDG8NSZ6spT+P6FOK/LNFDHN1M23gVmGBRQVYIY Lj+Mqy+8q6129JezrusLO0y7p65cdAenOWDSX0rr9WlAsmhWzmUqcfH6zfxdfSn9 6Z9/9j/PD9G7OyrRwfWANkU2ntsEIDOIi+SKoXH0wjQ5OKstoZ4RSRDFHDNZITkQ qbNjdvXuOT1HAGsV9/7uE/YMPEOCz6cK+q0B4xOtc57OhzF8o+z3F4MiyJDugto9 ZV7E7E6oLIW1nhhDZ1BCH9l1+//vgWGpiszHktm47HwmBdXXhwUW58Xqds6XworG 5DI8qfAzmUz2c+9YMt2756hCIqxktnYrNlU6F6WU4i70qI/xrX0Tjis5KmgVVnt0 XrEg5YmhEpePrzRqPPxbMiNdMCRdlJGev7d2nL0Gj6y6cwsKhSL6r0iGg6qEH4cr AYcVL6QIVBtIxRCqLDlILIPGmhJEIDQ8I9CiyqPQGUm9zvGJBI7FmBVrrS3Sfv5y 43weCuddTniGemkg/sw3sBZQm7oqezockIxIkVux1bK11EMQiunc25zdiH/Cd7/4 xi5DN6PYmoNNMyLItzUsGKHp2HesL2Uvlbil72/AO6szV8pvrS0Qb5QA6f3xjSk8 R/rSiCqPRDorYFffXJVV/sX01QWWJXpwk1PKrrfjKpsH0ahudz4np30psFqPM4Ey UxZvKZ2vgsEEGN/CdDqP1zjMSkJs6AG7t0qwmUaUvMEH/8FjSc5DqUsZclCFoFlX DQBYaJCrwG3hyYjssTDDLQ== Extension name: f932jkq7e ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A1FC415EA992BCD7

http://decryptor.top/A1FC415EA992BCD7

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 25 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe
    "C:\Users\Admin\AppData\Local\Temp\5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2308
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2488
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2404

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\f932jkq7e-readme.txt
      Filesize

      6KB

      MD5

      d3a9b1666cc17ac0e77a92f77540e16a

      SHA1

      11f31ceb6d22cb56c270539488dd1b093a5811dd

      SHA256

      168ed14fd49ae7f395abfedc9b9de3cf837091142826388c77bc279f75000ff3

      SHA512

      f8c5c8bf89473ab260ee35e951f5552c097987ff5e3b234d67db8f81d5fd304e4468722134eed4fe9e55eb3fdfaf4ebc10f80fbc304f1c9d40b300772add68be

      Download Submit

    • memory/2308-4-0x000000001B760000-0x000000001BA42000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2308-5-0x0000000001E80000-0x0000000001E88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2308-6-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2308-7-0x0000000002920000-0x00000000029A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2308-10-0x0000000002920000-0x00000000029A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2308-9-0x0000000002920000-0x00000000029A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2308-8-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2308-11-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

      Filesize

      9.6MB

      Download