Overview

overview

10

Static

static

10

LisectAVT_...15.exe

windows7-x64

10

LisectAVT_...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 01:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LisectAVT_2403002C_115.exe

  • Size

    152KB

  • MD5

    3d17a6951aa9901375b5e9554b76c1d0

  • SHA1

    df1af8b22004c0668f2d0dde3d05ad6d5da3b0b2

  • SHA256

    9a93ebdf53267d5d064df0fbfa5951a2ea2d503fd89e837e8600ecab8d7950ec

  • SHA512

    98e5fad58c49bed4fc4c505d4f48d9fd33ae9b620ae3be28e5d0da7944c64e5f2b8da17e1154f08b9d9083fd39aa27350b63ce93a8213d8a9b2be9089075ddac

  • SSDEEP

    3072:ctchTojrZxtMhiiZHjUyWr4X5FTDUfGCH:c8kjztGiiBfW8X7DUO

Score
10/10
sodinokibi$2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq8254aspackv2discoveryevasionpersistenceprivilege_escalationransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

Decoy

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au
Attributes
  • net

    false

  • pid

    $2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

  • prc

    encsvc

    powerpnt

    ocssd

    steam

    isqlplussvc

    outlook

    sql

    ocomm

    agntsvc

    mspub

    onenote

    winword

    thebat

    excel

    mydesktopqos

    ocautoupds

    thunderbird

    synctime

    infopath

    mydesktopservice

    firefox

    oracle

    sqbcoreservice

    dbeng50

    tbirdconfig

    msaccess

    visio

    dbsnmp

    wordpad

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    8254

  • svc

    veeam

    memtas

    sql

    backup

    vss

    sophos

    svc$

    mepocs

Extracted

Path

C:\Users\96y61v14-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 96y61v14. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/60180A6C5F0CB6AA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/60180A6C5F0CB6AA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: HjXZq3Awsv4ewbKBe0Ew/KrPe1RptyJZtk9v3mjVO3Zb2dHIIuD+BAHVaOYME+gy 9eR/UYc6QSi+U9PmkTFu0hnoHMyw5seyAbMm+xLoGmZWDeUFZ2g7SOZ4e71Nn79k MYi3pxlmuIPaykFmmRzwhTN+IET3RzWQMR048553wgeLebtAigbE8a1npRsAHyE5 ti5Xyb3B8m7cman0ICIElqA3F58yFmtcU3hFtz7Jufq/NKhM4BXFjI1b+4VbVQeE vwIULvWVypxEX5ROz31oQpohQouGi+PM/asCHgasefVFmT69Opu6EtnNHk135m81 JAVNi/9fx+z722COTHzlSbH1v92EJR1ciVLdF8SfR+wqyOkQroRFL2vNBa1Yq1ut EEfz/G1BVoWLDyswau3cHJLhJoYLhlFn+7ecCHGoXyNi4BliuQaBg4Y4OLFpD55F QYYwqB7W+dP51q4aOueY6q7N1bpFMpTpQaZ9q4jAZAgVPGzKDi/mCnVtiTbJute7 IIJPs+2HEorYCgIed82zSP80MBtWIbnSkiEohLSAbTRzxNCP+/N3N7xo4Xld4y8P cL9Qzzq3ZfRfRDuzCeKizqH9LnFCCLXj/g0JkOjqpv6+et3nEuChINLvISaJbhAj rKmaP+mtewclkECqzJLev18gFhBscXrCQgQQ4Yy0nzqv1AAa8rrWOO6lVNFZ+pAj qOS0xodfTOWqPEdotLYXwxedXt6cYlemBvhXN4Rx1b7hEGDu8oqkhqdUTu7WqsYQ 5u8zsqPClL//C0zcSKgWr5Nien9inMqdTktT06wfehxp+do3BamBcJkYoPy8Nopu Ga8txvR8TxvpUkIdMUM3iagOkX3FsUivO8iqralHFfwaG5XTsybVHPh7yU+GKxUr fwVYdBgAZLm2fhynNBbXAAs5g3qXfFbgN+n+LUJjfUgm3sj+Ffcef+W8UKjrp7N/ WimXeEJXJb2e4ceKr8+1RHYnN6ZbsvltZJv5GzwsG3zK6U8dI2JBbubIvxjwTD/C rhcjfw8eemNQ+sGfRiToSbZKHRlAMcscatBLn0su37d8ybtKmG+uaRoYTtbBtQms 9Eoarlozra+1H2SM9swnPGPCI/JXL0v7WCu7cHY4+wcJPcvapRHmRuh62Pa2BAk2 pLYKkZhe0sO4Qb9ncVE27SW1y0++aP1/h/CiFps/CHYDzl8aBBjyr4AFz6TGW7wG 9aPMMt/iPJhZ3QsA40ZDws7wKDcfaSfYHmMJ0uofWbs/h4ApQJ8G7VUDteNGFw4I MMURRGT155dLmmUgWNbg40TwBuSux1uYpKTchC5YSWqF7z7tSWWu8cz3t08wf2Jd yIY5LumORXyFO+RD1VARz/jo6XjGgP+UIRG6it3HYc4= ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/60180A6C5F0CB6AA

http://decoder.re/60180A6C5F0CB6AA

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_115.exe
    "C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_115.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3568
    • C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\32ad7817.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2692
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1948
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4916
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4868

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\96y61v14-readme.txt
      Filesize

      6KB

      MD5

      d35de626955f9a140f7a2005da4148bd

      SHA1

      3c4244e184a51b005675c8ddf4ee115ea89b067f

      SHA256

      e3133037f1a97b37d2bee2f843c3b9c86126bcce04cfdde9b3ff74d84f8fd956

      SHA512

      b731f58da05f6f6d396081b9b282dfcf47562d28cce14ca92fc6c3f4386366f298572354e16d8ee4c34f6a099425d67d97dd48924684de61928cc9dc0b972175

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MQYRE6E5\k2[1].rar
      Filesize

      4B

      MD5

      d3b07384d113edec49eaa6238ad5ff00

      SHA1

      f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

      SHA256

      b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

      SHA512

      0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\32ad7817.bat
      Filesize

      187B

      MD5

      b4c8c4de5580ddbd852dd74cb0275ca8

      SHA1

      dff09c75591e4430882197e55cea2841504104f4

      SHA256

      ad0afe6ccae6e824f35ec96b934884251045051d99b1e687e873bd33e8f6f3c3

      SHA512

      22cb46c2c7e9d1bcdc1ef9fe205fd2ace0d44c0940482bbc8d9c20b03db9e2bd5569e44526e8b003ba6b862a6d55247b0ae0a35350cd7083c827a512a68f1c1c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\59594221.exe
      Filesize

      4B

      MD5

      20879c987e2f9a916e578386d499f629

      SHA1

      c7b33ddcc42361fdb847036fc07e880b81935d5d

      SHA256

      9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

      SHA512

      bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      Filesize

      15KB

      MD5

      f7d21de5c4e81341eccd280c11ddcc9a

      SHA1

      d4e9ef10d7685d491583c6fa93ae5d9105d815bd

      SHA256

      4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

      SHA512

      e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

      Download Submit

    • memory/1216-5-0x0000000000060000-0x0000000000069000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1216-45-0x0000000000060000-0x0000000000069000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3568-0-0x0000000002580000-0x00000000025A7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3568-388-0x0000000002580000-0x00000000025A7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3568-392-0x0000000002580000-0x00000000025A7000-memory.dmp

      Filesize

      156KB

      Download