Overview

overview

10

Static

static

10

42c28feb23...0d.exe

windows7-x64

10

42c28feb23...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

  • Size

    166KB

  • MD5

    43e9093ffc8dd69985a9ae65b26f5551

  • SHA1

    7b268ff84e824ddcd8b7df3cf9993be012489d01

  • SHA256

    42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d

  • SHA512

    118d879750d0456f5b2e31818815ef9465fb40eac24f4784236c626d2a2e753b5a85ec5b2c66a755b10855c9caaf77bd85b6b3d1fc7003fb029cb703ead9037c

  • SSDEEP

    3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QG9BEJfMt0H:ZJ0BXScFy2RsQJ8zgG9jt0

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\Recovery\wpq2m-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension wpq2m. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/884E796F59D57ABB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/884E796F59D57ABB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 2dpDZ78zX2b2dvXF5iWHoEvyOESk/bXR0+DRWfyYP9sTjfX7lLz8rH7blNuZ6mXv vH6FmLTxOMLggPOCcqNqfOGqLw1f+4S7PnDTOjq1a7rNXPjteyeX9QWuXuB2f5vA C+NUE3fpL6CM/x5aqVl0MXFHRQpiPUxQp5cioCcqoJy5PqU8rusNkBTggoAmSsKT TYAUduGYSpd9c9pHJTuMkmYnAenMkloYZw5SRAqg4vrdlc26/CTXEmBcYcWr+ZVF sYJCByfYKdzRqqk4X078F/XHaOFTn1MaDO3ScMBmj+RvP7maOZRtbjPOeXOdxpWg zfI5mZA54ncUVNzGrDXiinC4n4PgVsUPdgJUoZHvnZEGi5oUajoR7tIAxI7a+N8V Fzg+c3EywiANv4Mcq3MBlEhxe97AWq6CacwYzgJSBhFiNbHKMLNfRImihG2mbumV VzsTzYSiw3NBtSNfkt6H8reCduE05B++vS1Erjh/LAPEofN6qURU/Dt7XZiaTCrX ETvkotiJAGGoGW/jHjnPa/ePR6jqXKJjMYVcN7i/mhqgYz2aRv2eG8wDbZ7rVrsX qrlj/0/xqXx+QAU6CqNPN5TvokTMyrtcJtO7uQ/Qu+XR4CsJKXc/+Az+f5QmUB1K RqcLIHddDzUPryWrvxMo0JSiYhH3ibUHijcfX8P9uNB41YU18TVuhaHwSXV31vKB ET8A4YdKQ/6VwCmRaklnSgjuiBEl2eWDEIUV/ZuOIlMZrC2lN6hapy1e63VV+mQW PRD9qK8lVFVS1N/zSg7PjLAjHpFbe5CG9GAHHaePMoyrI/VDsZI3JaOnmKwPRiIG pp3O+aO4BO8I5LqbGAgCeP/WNtqBFVopjwab6De9ihlpsRnn2rGEfZq7Dld+4bGB skm+3dTn8yev3l8RRQeBDBKWXExXJV9g4PnvzhKVP0pduIusmqUz4QfaFQSlorkK TAFK3IIRi0WW6qvfd9CylS6fJJsFAHXKVBI4V6/66Trv7tEYlmgcUAtbdpP9ZnXg I5mcfzvHD7lj8GzTgC9HiYCakai5CPLXH6uNMd+c4/CvJt4NJMMJKj6KpoGwQtWh 1KpTt02NY/q43PKu9nyOyHWncxeMMnU7Ubk4cTxJEo7XtNyLNaxqAg3LRYtwqHVA eUm2JEexb0z4/3WiEgUKnPNdvS3+10ii9IQqS+cdJvXHX8M2NzHYJb51iTDGP8zH ctddrsTd+IyXjKzr0xTCRA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/884E796F59D57ABB

http://decryptor.cc/884E796F59D57ABB

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
    "C:\Users\Admin\AppData\Local\Temp\42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4824
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1076
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:220

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\wpq2m-readme.txt
      Filesize

      6KB

      MD5

      b65f51bad8626853934a0518c548a43f

      SHA1

      ddcc3441140e30c9d8441993450205f6db92a537

      SHA256

      8f5e216586c699436f0a0f8c09a57745a0345bc942129db3edfc618f32c0e80f

      SHA512

      b0b613d964cf9ce1d4148247920e7ecedf5f6c65c8c6fe3066146d9dfb2c7083411a7b9287f2190c8e7bf39daac02f2355c47ff5975f40ead1dca521429ea7e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ftzc4am2.qz5.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/4824-0-0x000002A9E66E0000-0x000002A9E6702000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4824-10-0x00007FFFB7AB0000-0x00007FFFB8571000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4824-11-0x000002A9FEB10000-0x000002A9FEB20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4824-14-0x00007FFFB7AB0000-0x00007FFFB8571000-memory.dmp

      Filesize

      10.8MB

      Download