Analysis
-
max time kernel
1563s -
max time network
1564s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
16-07-2024 08:54
General
-
Target
81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe
-
Size
115KB
-
MD5
7e18b037a068c56417fb8e56aa7e49e8
-
SHA1
f6739569a24358c8c060d7131be70712f70f36e0
-
SHA256
81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed
-
SHA512
d6188e5536b6e0b5c49d572e35155d633c11fd30bc8d4bf4ea87fea7196ae2f67bca364a0afaeed8209e5d4b2be0b98d81c49293d3fed95c70c8388b8387899d
-
SSDEEP
1536:AkdeUcaK8Qz4PQIUnq5WMrAmyopACC9ICS4A0vh4NKwTNA28V5/Ogsck:mlnXEXyk7yvh4NKwTNF8V8v
Score
10/10
Malware Config
Extracted
Path
C:\Users\43186s2-readme.txt
Family
sodinokibi
Ransom Note
---=== Welcome Massive Prints. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 43186s2.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EDE824C463069171
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.cc/EDE824C463069171
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
pfw2kna6epbz8qsT3KQY/zs1evPLY9gBeWPzmgDSOScHEELRnZtjTeOhrLBk+m4Z
KT59fz68LH8XKxLkI9QJd2m28z7EMHVor19riu9ucRNV2yNZg4+W65DGgvgPZqzZ
yWksSvrpZETUMUtBdClwrrtJKEFtPMXdlXSA5Ywf7QcUzytJX5z5ulfx2j421D5e
N/CmMcPY03gBQZyhWas0BFHBFj9lE4DZ/LYNfQSh5r8YbCvCG4EXzKFmW41cxVf/
9eSmgZemFUTUWPh7iRIt48W/SHF22HX9eE5VAh76GQREAVhr3UgVApMPNTBMoIBf
HIx6CLgxBb9lm2BUuHYGvHUsjrIoW6O2rUJMlUb9Dtnv31WSenCfwzKhyA3L0Hxk
ykqgl73BayHQwQ9ICY42Uih/BDyV6AoUnsmdvZSAahQn8bVkecUCB6UBLm5ZZzRK
LzBba1uaalpNaFAQqMkEoQeW0E14TDQ5z7GMHSkYGDNd2QVNhXlxk8x+o3FFMl8o
xHufTjIQJXeThUTe9TbeQXlBEzjjMqUnMU8RNNE33/UDRPquBb3Zziqi+U1qBxxW
21I1f0vGDOlDarvPm1oEFYHxvfj+o6lz/1wR1qqiGh3ZbjO7JdNgiPX7djpYD9Zr
3K/EVU74sMPXLdtUA6gZglgxOfCkyAH6RKDvvO/92UvR2788SztWsthqi6GTkJf/
eG1CS8YH12g3cO0LGSlPyGhLZwM2Li6kgMl5X4XnoCY8P6qC0dyAsl89uUNG9P1H
NCJvnN6/ORuq3jz+RxxCdWFIkFFo5sT3Kl1Uj6dGRbB+B76AFczEtsAoZcVVCQds
p51ogz0EzMdSULkJI6w5o4VCbJkeERxKia5LxNlfSDjnINGzowEFjPHkammxBffE
9CMfU4XkXzEpHm5NlnZbvx+EX43sje5/G/cNbLbn0nJ+du4L3cffulvpsRu9IYLX
IdWvTkuB6prLJvEScjg8NnH+/Z/3bj8qtiKKbdVWO4NQi4SknrFx9Y7Fl6kNe4Jx
YkBzp37T9CxFqbSDaQZ/l7wFTvpK5KMZE9aicnAM+VH/V9mZzrngvcqEK9btjxLe
koeoKddCX//fljQTZ2ValgPq79/CeoY5/ESDCfiDmrmZAi2QvdR39Yo85CrvQ1te
OqhYGw/yXZdvL4lFFPwbjVAoOwtp6TkWCMlroRAJN+m2evpH54Xx2qHrOiOESrbM
ojuH7nWOvkjZxvwmlAyC6Zug2vQ36vAZJaZA6Tn+myUYMWKX2BilVL5DWSXO5Lzc
YTXyBrRjLVxHn9wNyNbSPRnBYQeL5YRMwo/UiO9cav/XOkgJs+I2WQ5GZ/MSPgrI
wnbRX5u4CrKJtcQkvmflS/1iZneQsV6S05e9zgT0O1CGuQ==
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EDE824C463069171
http://decryptor.cc/EDE824C463069171
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe"C:\Users\Admin\AppData\Local\Temp\81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5651f448e801b62db6aebae81e34bf364
SHA1b56ded98df3df3dae52d655efbcff9b9d755fcfc
SHA25654d6f9124b1e486d951a248e61fb0ab9ff3d7122d3c45bc6ff62e7bb34e8ec1a
SHA5120823b7accb77fed1f50dcefb2b5a8cb179feaea895a2655202f3bb7e2dbc9238ff70c2dcbeb91bda5a03544f0f924931a59171d681e2f13e45a07ee7f87fe24e