Overview

overview

10

Static

static

10

2024-04-22...il.exe

windows7-x64

10

2024-04-22...il.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-04-2024 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-22_440a6103023ba31583001b05b883769d_revil.exe

  • Size

    123KB

  • MD5

    440a6103023ba31583001b05b883769d

  • SHA1

    433668dfa874077d807f16a2fd344b08dfeac102

  • SHA256

    69d549207931f4451e78c40db31e61a62ac547db28b297108da450d2506f6c3a

  • SHA512

    b92f1d51806aa06e59b223690dae78c9e85942204f458a0dd62c049c3b067c2740bab3946c839c4c3d6d5b8c8764d23a80a1a26f56d58e50b0da867620198b53

  • SSDEEP

    1536:7DvcP3LThpshwVs5OE81NcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxr:y4SVhtNcYM8gnBR5uiV1UvQFOxr

Score
10/10
sodinokibi$2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr
Attributes
  • net

    true

  • pid

    $2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

  • prc

    sqbcoreservice

    dbsnmp

    mydesktopservice

    outlook

    ocomm

    excel

    mydesktopqos

    isqlplussvc

    onenote

    tbirdconfig

    msaccess

    encsvc

    infopath

    steam

    thebat

    agntsvc

    sql

    visio

    wordpad

    winword

    dbeng50

    powerpnt

    firefox

    xfssvccon

    mspub

    oracle

    thunderbird

    ocssd

    synctime

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4085

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    veeam

    vss

Extracted

Path

C:\Users\hlwp6or0-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension hlwp6or0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5F1D45334BAF872B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5F1D45334BAF872B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: CMCAaY/cJ0clwmJTJAyuufaJf9laBBqGpSCK36n9wupuCX8ifJDhQKx7qVpmagXP LPbRY57TZZaawUWmFem5FfDDO6/pUOMR3Bn/bErv+CUPbrk2QuDA/ikNsIzv9Wec K0QNxkSCfG3l7XRP6kMB+dMNQ/Bp2UZ1faUGG1YULx9wTDdBFj7RG2DNdn8F3R4x tKIA6rpZaCbDyIMsBy4s/srljyat1I1N0ZM+MpNw/5rgoohD/G4sVZkK7A1EUflu BYbHkbmQRpf8kbZsBs54OCYYPxRKEDq5wB3+RaO06iv27MqSOntZQyrirXVK7ZUp AwJkx2yZcKdZ/hodwwHQDnOqXLnkipeVGqYOvGs/StbZM1YZ5IAP43j8bgcTRW5u 9SiIvJrqvQNSk7pUWWVhvhtNCgHrfXgZ/vNKBvDGetn1exyptaJwW5a646PnIcuH Bt9wgmEmH4QYYghofK3Gj7v+jjLn/mSXbZZBsmoA0FjXVW2KEyTS9gLJbr2EuSdM AOnvIiw04qsv5BXnSqqTj0ful04gg1D+3IOQVnGylQDBEcHdsywiTOpiGe9UhB4m KveeSg/h36fBzOCrV1Thbfk42kqnnk1C7bzZ1HdD+Kyt9yxlIqgOWw17e+U6bjrp k1HOPu2FBNEAZHFOmyMr8+YpWDZBT0KSvnv13O6P2DhtQQkkWn/ufr0AzQkKZmJG MT3keHtT8DC0KK52edSiM0mnFTi/Zn2eA28fW9jEV08QBsZ8Lbt3iKNRWRAIBw79 m1Mfrv1/5U58okSTXyeg3woEfBxtJf1McU73OC3jfaoeNF9YnVOBJCnpcqwybmiE MjolJfOpDZvDVMOEmxCstiJmQXaEAMll8Uf6cCzmvSNXJOHfBjEbG1+rY8D41CN6 jVUpQMlCiKVHPLAY8v18urelce+TuE8PJYTjT9JGKlNu4fdtH1i4Hb6FoT6FRG/W FyodNnY1JdwbL3Mu+5AkGbJ2avhapROLUYxce8HS5cOUxPEiN4q6oayBswr1HdPq nc55+09RNQ+v1bwpMoUq9kucuW3CWOWe7gfI63p39ZkGBsQCqWcVHjISP6Ygb4qg JpOUlIOMMpjMsURvdd7Ua7LsdhlMc1wyKlF529hBCx4rDY//WgXOuraueI3kinRE frCFzSJGq168rdEjQYL0EB5CfriRtmnRjZCyp6PWyjPyH9KMpdhsx7hZhFu3Woc9 EzfauheXQMP3LbPTYWAItd9te+d5POMsdTgn3fVHUCX9eB8+W6WPaNUnbzPdNDJx K9gLzz//DDU6svD9exQviHWEIHh7HhjqS4HWWIqPd9fgVnRDcoMcyQS+9v6W1iCy DPP1WqKoBy2JENy98HSHEcGpqHojckmCqSlwNjFhBc1JnLdXRtyhfaJy ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5F1D45334BAF872B

http://decryptor.cc/5F1D45334BAF872B

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-22_440a6103023ba31583001b05b883769d_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-22_440a6103023ba31583001b05b883769d_revil.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4756
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3204
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3384

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45yxxly2.kjd.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\hlwp6or0-readme.txt
      Filesize

      6KB

      MD5

      8dbd99d795bbedd1a1cb3714868b258f

      SHA1

      11e1c20679bb979a546d367d6101ccbb71659051

      SHA256

      01873efa0dadea5994836e5a803a83580f5954f3ac44b2fef0f92bcbbba6c4b7

      SHA512

      c31cf791433a0e080f06c39ee4be321a0dbb4ee69457b1692a06feada1df23abf815dbe82438fa477a9608b3bb997630396b68fcb53233c0b3fa2a525401e768

      Download Submit

    • memory/3940-0-0x00000000008A0000-0x00000000008C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3940-424-0x00000000008A0000-0x00000000008C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4756-1-0x000002C474A90000-0x000002C474AB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4756-7-0x00007FFECB8A0000-0x00007FFECC361000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4756-12-0x000002C474DB0000-0x000002C474DC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4756-13-0x000002C474DB0000-0x000002C474DC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4756-16-0x00007FFECB8A0000-0x00007FFECC361000-memory.dmp

      Filesize

      10.8MB

      Download