Analysis

  • max time kernel
    135s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 12:56

General

  • Target

    5cba3e44271279e747a67dd312d4dca18832b5a850ea6b85a460846ef0101fb6.exe

  • Size

    166KB

  • MD5

    8cbc25e4d5c3dd1ee950c9eaaa67049d

  • SHA1

    2e3bc332df0adf7b9aaffad3e91d55463c858fd4

  • SHA256

    5cba3e44271279e747a67dd312d4dca18832b5a850ea6b85a460846ef0101fb6

  • SHA512

    ea5326a5535995aa6a6754e3cc24096a8d27a23eed9bcbcf8849e59e9d341eaf7022c0524a5d15ccdb0405dcabe43d18f8587d12c79b4bfb50211ed7d51dd97e

  • SSDEEP

    3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QZcl+UNO:ZJ0BXScFy2RsQJ8zgZcl+U

Malware Config

Extracted

Path

C:\Users\ye1j7s-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ye1j7s. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B9D92779CA70CBA4 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B9D92779CA70CBA4 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: fqoaM0jVZ8gvL+D4D52dUFRh7pR0/cjC9cNBN/h9lP064D8G+uYFSHAQEDgKBO27 Ju++6+Dt4NLDi66npJeyT6O4d6Eby9y7yCPGJUtuwz/QBS/6j1DEYruXRn2/ZOXU FpOF5RpICe94LwFXG1QAOCs+X723GCDI/bIX5aZPNO5wN29VyGrXCy9MfxLETt1g adLKZpz3vDg7AizvBie712WMrzKYrfvU0tP89XhG4Yq/7NJBUtrffpZVotdBSOHC UWhaZua9pC0J8cxasJsA+jN/SOnWE74RcQ0iIjnlgir7m1etDQ7Zdb6JeG8qoTXq SDMeFzGVYWbyiObxQT2t5rTmeJVuYzrZ1cBbXaOsGw348dt498tRjOL3gQLTX5Ag J6YkPAcerudNfoZC/p/e28kYhl003m7ylWj4pA493GP/FoJzKoB+Acs6aoVheuHp p+jxmNap+qrmippTPLvsOtkujBPQ02lA3uR94PXQO2iXy1ZiDootEFfiVnbUJ+vQ zvZI4rpI6lzJolqbnJTKhr5X+FejlkwLQDp+B6RVhoLkAcGp4XTzENRkOffVIkgi Apee6gbNm0KzH9Zvtse99FP2k0X0E47qbMsHJH7k7rd+yftl1mSUgYa4AYBkwQk0 QPGCDQJxvOhbnYZYtmf0XZYPppiBhquMZ1ccRmIohFKy8eVT+IWE12COOyAHvbiK 1UCCNKCcuCROXXJyG/nDZmOk6h95vJl4FFLdbC3l9PVdPX5wNpjx0EsoQ3faVqhe pZ0CQOOZki+udTqDmbcaZN6AmcdDGOk6wcWYilyh6kvyj9uj+r7VOfM+XgO/GSho ySirvT65aDgcKz80+CDEKU1v9tGrkZDtHtXZZRzyEjXOSWJBqwOjg7o+rkpdOXS6 dB+NRXxi96+z6XBcPG4AoHTBcF4WiH00SP5tR9Efk3+cOMMIFzkC/qVucRf+dzq9 oFVNVNskhQ6kp1kvcUYPNQr2c1DidUS/+rTPBO8vNNEN2oFCjeqIhnCJbdPjIAk6 uccTO6ZJhe7M6yzjq32ToWkuDKOGyG8+sLGqaGBu38NrcOhlrEHtm/SJxFBmCa6J d89PNvpDveviNTlYkNcjltQla37NtEier2oA5duNTICSACF+KMSGlux4AnQvUNQB 50MUvWqV8nuFuHDtGW9/Ipn0kvOMlTWbHb0Ah3K4lrCOUQeMXYtFRWd2T2CoUdsf AB/F5iw0qEVrME4kAfQQOp89METXPafo1uRhFThgaZ/Z2zFGnD2BlpXCbgqmohE9 kHkMVgntJHEu7WrBAfhV/ZE5LV+RIujYITMWLDU3eBY7sPYPyxpslcGqbCR8HQ5A zOq6krv8qxJwTZdDpZQK/zoAiDNwJjOvR8GGG8AHL/A= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B9D92779CA70CBA4

http://decryptor.cc/B9D92779CA70CBA4

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cba3e44271279e747a67dd312d4dca18832b5a850ea6b85a460846ef0101fb6.exe
    "C:\Users\Admin\AppData\Local\Temp\5cba3e44271279e747a67dd312d4dca18832b5a850ea6b85a460846ef0101fb6.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2688
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      e8d0258afa1a62351db3d8904b4d0651

      SHA1

      5f0b925bf5766e3b30f385c027bedbf6b8c9ff61

      SHA256

      8bafddacaf47dd8d284b9b2c71d5c0517ecd63fdadf991278931918ca051d4ab

      SHA512

      ecd723a96ac982fe6f383720a6a7240b6a29d6272363663e1924e64003b059c4f6fc702c87151dd22564eb8dfadafb9573143086232d00147ea0b37d9ae2c4cb

    • C:\Users\Admin\AppData\Local\Temp\TarE103.tmp

      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\ye1j7s-readme.txt

      Filesize

      6KB

      MD5

      a4fe5770b7848db80971a8b6a2e2b09d

      SHA1

      ecaf0c3e80d9ee5804c26d00abcdb2682b390a6f

      SHA256

      ffbb059c3707fd847b2497e66d02953606064e870078d7b5a95f0cdccfb8f6c2

      SHA512

      327ea8ac72fa995c83f0c387867f16b503cfadfb683240d81e2adabfabad0c006310673ef94aebb78048a48247594c3bb59587f9d954690650b9464cfe19194b

    • C:\Windows\System32\catroot2\dberr.txt

      Filesize

      192KB

      MD5

      fa40bb4471ee4724b1a19d4e7e910eed

      SHA1

      025aac165ee29e55a4a05322cae4a18f0b2953ef

      SHA256

      4d09b74f8adf703fb0018ecb6e40d369458d5fe78eccdc832fae921c1d634b07

      SHA512

      94fc0a75f947380d92d4617dd3287c32845731b25d5075a2fd1bf1b499e80cc50e819a7393e2769054b5ab8bd7a0dad000bc5e289dfc16b31c4bd87d71492834

    • memory/2612-9-0x0000000002960000-0x00000000029E0000-memory.dmp

      Filesize

      512KB

    • memory/2612-4-0x000000001B300000-0x000000001B5E2000-memory.dmp

      Filesize

      2.9MB

    • memory/2612-11-0x0000000002960000-0x00000000029E0000-memory.dmp

      Filesize

      512KB

    • memory/2612-12-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

      Filesize

      9.6MB

    • memory/2612-13-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

      Filesize

      9.6MB

    • memory/2612-10-0x0000000002960000-0x00000000029E0000-memory.dmp

      Filesize

      512KB

    • memory/2612-8-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

      Filesize

      9.6MB

    • memory/2612-7-0x0000000002960000-0x00000000029E0000-memory.dmp

      Filesize

      512KB

    • memory/2612-6-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

      Filesize

      9.6MB

    • memory/2612-5-0x00000000023E0000-0x00000000023E8000-memory.dmp

      Filesize

      32KB