Overview

overview

10

Static

static

10

15ef2d6ef4...7b.exe

windows7-x64

10

15ef2d6ef4...7b.exe

windows10-2004-x64

10

Resubmissions

10-04-2024 09:31

240410-lg5wbadg5y 10

12-09-2023 11:01

230912-m4spyabg7z 10

17-08-2023 01:52

230817-caqclseg52 10

Analysis

  • max time kernel
    144s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe

  • Size

    160KB

  • MD5

    b572a0486274ee9c0ba816c1b91b87c7

  • SHA1

    43a904323a8583203b307c622c71c8ca706c2462

  • SHA256

    15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b

  • SHA512

    77d4ee400ded4b4be92da0170e7d2c197c312089429a1650e2843d0ceb15402d14f7e4fc3c2e84f20eeaa24995f0814c2106a37fc4cc32de7dbb4c15b6c5a171

  • SSDEEP

    3072:tp5SexkWi1Lbi4eTMlwDCnu/qjUt7ptQJS+s:HvGWwbnWJ/3tTQg

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Recovery\20860c-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 20860c. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6760401DDEC0D85B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/6760401DDEC0D85B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Wi9aKgWhsOLneTVy93NmQ/J58jqSBZmKoFQJAxYy7sc1LAUGqZgP2+i0iFAm++Dv Zxgt3nx2A6pb7zEJWdWfL6hzKrt+t0RWLbEeqBrY8KFp51ip20dFmoGVpfdPDdqx 8E84q6dQB8gDnOYAbHDDHhZLhBNiWIKhY97Um0XHijTd0sQa1LxBhcf9f4WOrcEc FmojgDcndRrRU+zg3rtaVfdbyDFiIu0QGLLgEeOxBS7hU+3OwTDPWgL6OQyZ+1xB uDNEVP5h6FJihwL6DAUyrKfqIqZCWrnGf6hypjOYQllckwlNZBxoFWALpwe3M0vW zVq7pXw86BnRvsq9OOpaF2Bp5WPpNAtetD1h7t6BD/T4widMSZ5rTOmDwCNHVY3M Y4Oi3rgrVQxNMXhiV0yI4qOnoHLnzgLa9LQ3PAtO/7jdVbHsADPqnGyE0TGNNorS /26EzRF8RhrUN5dSPxjoWRGJOsXrWWdGdfUKsrGYlTT6Fsx9BQW/BQroQY9SBTDV LaeHlCKIqq4VyGgf/pDecxe60ZdSHlXxR/hkdr3yNZOkeC2HQjDPWmGrKy/7nsFQ zWRER8ODEnRlNDTeD+Hga+RN0fNX1oYb2eiifKRSxR8u7puPDCRyrSf9NR/U4UbH AtMs9BptSjJGRfIQfi1JXOwmLcDlyHPwT/M3Hx65uFPWiQw+xpIRBXVlah3nWg2b pChkE93/v5SuBpL0zX2rrv+32dY+PylICfr6a2s9Aj2y8Z5mw80MBJbdzLp/YMN9 ncLxUydX5+P5e5KhS73itCbx8GfeebVC+MXNnuMTKcwyNe5wVAw/1z4SbUt7yMGr Q4B2IAIA6cM2mnm8B7uoAI4LLRY4QamQx6IvyAZsER0UQTe+ObU+Y7do7qKNnlQG jXNQbEYUvLygWUyXyMHkJNGPlIx4aPZsjV+ItHzLHnXY17lMlrENzPexWh87eRtW uMpsfYlIrcdvZI5XZrRSjxXURzwWK1aMQY0kGi0v1V51aML2EgEORuLqkr9gYaTP xgGH12ecbdQO2a88t4mJQPyKBjMsRfnAfIeIPTH41j2GYxOPpUxuOoXjKCnavWgv FG3QjbagA3RRHDJjvwqZajeiJtV29Hm+Mzewn0jlHY/oBrixIw5uXcM7bDWDPcp/ X8JZBmJLGaTt7LVICWnkHUR/5Y08gFeuPHzA0bt6xGxRjtRVJBdW0hSBcXDVzcMw 9D5pCxps6fU= Extension name: 20860c ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6760401DDEC0D85B

http://decryptor.top/6760401DDEC0D85B

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe
    "C:\Users\Admin\AppData\Local\Temp\15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2720
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\20860c-readme.txt
    Filesize

    6KB

    MD5

    8aa4d96987dfe44929d3408953f4306a

    SHA1

    66f6bb3c0c5be2202c0b1a428d780a8b29899fc4

    SHA256

    dc35e9c40847d0dab7ca82d54c2d512b4498053f31fe23bfb540f7ac04a2534f

    SHA512

    7bbbf2fe5a4141c635a38019a3d68027e045d87c7fcb1112dc8820b53fbfe79bf98d0efc14c4afc614c38126cb446f884328cbbebb2b568f5101c984261850af

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6c8f110fef64cc608e33fc488ad4be00

    SHA1

    354f5a7edce36211f334a18f474f49d979e9a160

    SHA256

    f136057c40e899e491ee61e0c96578fb9db4f6d61e1a53544043732a952347c1

    SHA512

    81ca4d712ea3c95fba3669acf6bbd49b20b5c4fb8f52af73e2dd042febe9f37c9663518656b260de98365f1825e1a362bf2837661aca4ae9e016550dedc76819

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    d0a45d8ef5751aff40eda7335ea98ccf

    SHA1

    ec7b122030a5f7da5777354dcb209f4b2adfe7fb

    SHA256

    1acdc1e9dd46ca203f68def8ff5b1a6c281383c5dca29e917419afc4cd216635

    SHA512

    872972e93245d120ae7bfcd26fa1c21786988a2e29a711249c8c4d8f9bf1b8c49d14bfe6e3d9cb325972ba104e22c6e44247361c08e753be7b12f0c2b682379d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar6AAA.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit