Overview

overview

10

Static

static

10

3cff33197e...57.exe

windows7-x64

10

3cff33197e...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3cff33197edc918d47d08f44d6ddbdda157337f0ad58288d15746cf72c0e4c57.exe

  • Size

    166KB

  • MD5

    340b6f816bfdcfcb466cfc126c976844

  • SHA1

    e2e3adfcf621166a9f5bb7ee9795b7914cda2095

  • SHA256

    3cff33197edc918d47d08f44d6ddbdda157337f0ad58288d15746cf72c0e4c57

  • SHA512

    3e729878fe7ae2ea2f025d71d78226ddb5930b791143eb8c4ba4a7589d5944e5b0e37e8ffe1ea4983bbc66c71587e3a4b158b3e8a2b71ccbed2889c4778962f9

  • SSDEEP

    3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QLOoBB2W:ZJ0BXScFy2RsQJ8zgLOYB

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\Users\1eou15g-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1eou15g. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DAB72FA0C5017668 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/DAB72FA0C5017668 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 6z6EHIMOn5d9HdN6STJHJlpHXcV5o6chP357rLmQYzUML0UAdQuVbsc8iozZ6k44 kb3IgD1VOtce+68/LK2/3gDSsjsZ4q6jBRMf0KPPjSfkNWb+cOwtebMa4/y122AS URpGabIjWv5ozsVYwks8z2aRxnNVQaEnBtyz3QyIqPWrddJTjLg7ZM53XhMhe/ol zrre5V9gi2FBkPypK9eh1LOPrJsJL34DpUPZ55h18nOR0qvnDmA7OZMSducejg7m Puv80LxqoDQ4ByuFdZfFWa58GWYktJl02D5KFZxSFHPbWweHUJXXYJIAj3Ot/OtA EJgTM7PmGIZsl941QL4v8P4wXIIm783iBXQHZ+HP+mh0eetQI8h1OPKou1k3W6l4 HKKUKvgth/GjWxthtzk+UcL3gqFMyOCCyaOr7GQDzRGJd37bqPNLjwjnoshLAC6S JPPxEI32/CThSwJQ9fiS5Sxk8VpbWra/3YizelnA6+7OFH/aDDVRFK4aRSynL/1V 7Rg2k0mawcWgLMju1FirMxM2xzu7fPh9s96dT1cpGa05qa7Ie9sJe3ZyDzziPTzp PsA7aWCWA3bgjwyHbELGFD5DtgCgHK3Z/imHKW4boetn+o4/sh03mOjtErQWm/OG Nnj9i5/f3i4CkgOJrM/Jfb6+de1roKgzVlgaoVmK2CwwCqW+jJQRWGugsSPuaUcB WXEd/0FmSnzcYkOp8ybWg5lbD3piNaCfjNvw+E64uweiE9QYCR4HlB0QR9KpMrH/ UtwaruO9jbCLJHKFWbi/ZoFRVER2y8pc+2bHoHfY1dYpzCdzFPhI/mXnY9vKWHmY TX9+lZDtS4K+sj3AQgKPQFxtyYKx6ng7TaakdfrESrG+tM+oUVNOomvhKihiK87N qVeSLCrZ0GBhv4OxsTfeQjK7uXt8llPGHM4vgkyjiyed1ItiPmNKck8yyJi7hsIa wriNpG+bkYfhoA9f55m2ezc9xmWMOj9ZGUmyJY/R1qNa2fxMfdsITDunQkPMiZjO sqzsFMGoZ67qaYlWDRQ9vZLQbzBfDN65TARWm8XjojIp4o17enWdlCdq6R+RmMS5 Jm12sshl+QzDN9dsiXDERoqaz4djyO4RBiOM4m5fsVCYSR4daAVgJxyjCgbGVyZE B48oJap9P8oPjFo1uSZ6OKss4bFLYD5UYCMoOPomIdwiYFMikdXwWo6MhTXXghR9 YtEmomNUJx224Bhc28jpHGpDgTDPww85jUuJa6l7dbzi/0OtVkcuu1Yccstb2Ji8 RWC748cNqtcPr+yTYffnPXpV0YFqrb6Hvn7kwwY1pIcBbaIMjS4sMEWoeaKNeyIi HHmNap9rFwOHPd8e9lUPmtJzOQlmvOKk5L1bJOULaOMvmfE/99cUtg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DAB72FA0C5017668

http://decryptor.cc/DAB72FA0C5017668

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 31 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cff33197edc918d47d08f44d6ddbdda157337f0ad58288d15746cf72c0e4c57.exe
    "C:\Users\Admin\AppData\Local\Temp\3cff33197edc918d47d08f44d6ddbdda157337f0ad58288d15746cf72c0e4c57.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4048
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:5104
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3260

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\1eou15g-readme.txt
      Filesize

      6KB

      MD5

      80ad59ce9dc67073751c52a84c96b036

      SHA1

      d7404b0bb03e921b58399e049e33c3b255ef6e28

      SHA256

      55a1cb59530eb38225bbfa8c97749226ecddd1974f4b4d49bacd4bdea261cbf0

      SHA512

      cc50f08892f22c9b859dc52124ae0238a37c512a2f23809dc599796468f8a20dae411597bd666f87a3cb743eb13745bc462b75ab142619942e5693f7454da2c4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gsvjnfla.z5g.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/4048-5-0x000002557B750000-0x000002557B772000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4048-10-0x00007FFAFE600000-0x00007FFAFF0C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4048-12-0x00000255795D0000-0x00000255795E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-11-0x00000255795D0000-0x00000255795E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-13-0x00000255795D0000-0x00000255795E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-16-0x00007FFAFE600000-0x00007FFAFF0C1000-memory.dmp

      Filesize

      10.8MB

      Download