Overview

overview

10

Static

static

10

9a93ebdf53...ec.exe

windows7-x64

10

9a93ebdf53...ec.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a93ebdf53267d5d064df0fbfa5951a2ea2d503fd89e837e8600ecab8d7950ec.exe

  • Size

    152KB

  • MD5

    3d17a6951aa9901375b5e9554b76c1d0

  • SHA1

    df1af8b22004c0668f2d0dde3d05ad6d5da3b0b2

  • SHA256

    9a93ebdf53267d5d064df0fbfa5951a2ea2d503fd89e837e8600ecab8d7950ec

  • SHA512

    98e5fad58c49bed4fc4c505d4f48d9fd33ae9b620ae3be28e5d0da7944c64e5f2b8da17e1154f08b9d9083fd39aa27350b63ce93a8213d8a9b2be9089075ddac

  • SSDEEP

    3072:ctchTojrZxtMhiiZHjUyWr4X5FTDUfGCH:c8kjztGiiBfW8X7DUO

Score
10/10
sodinokibi$2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq8254aspackv2discoveryevasionpersistenceprivilege_escalationransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

Decoy

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au
Attributes
  • net

    false

  • pid

    $2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

  • prc

    encsvc

    powerpnt

    ocssd

    steam

    isqlplussvc

    outlook

    sql

    ocomm

    agntsvc

    mspub

    onenote

    winword

    thebat

    excel

    mydesktopqos

    ocautoupds

    thunderbird

    synctime

    infopath

    mydesktopservice

    firefox

    oracle

    sqbcoreservice

    dbeng50

    tbirdconfig

    msaccess

    visio

    dbsnmp

    wordpad

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    8254

  • svc

    veeam

    memtas

    sql

    backup

    vss

    sophos

    svc$

    mepocs

Extracted

Path

C:\Users\dt5t073d3-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension dt5t073d3. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/31271CDB520394EE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/31271CDB520394EE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jvrsjDGbZ4Bh9GMUL8iR7k6PWv2l9oHoYhiMcQupmuZk4rk6+t9+xKDGV+6bGRH1 37TCRyeB/fpU3dj4mmnQQfnEaeH3nuk9B3NfCLxJS6Qe9l2r+0OR7+z+4LliqecN JirdpvVaKOokqE9SV7ZVyXjrMCwZJbvXGmvA+dDRzp53R3nQ5cTFDKU2p/DLqZjg 8hsknuaiIz3uak0fcXvStDsh3g1QtyntDmUKWR0lMnGYFLlkx93qk9nBoprTVpkb tf/6FdtPl2+K/usffAefwrxoBD3M3cuVKlprLAArtEqb/O3mhMIUR8HqL/VX3wDO ewTPyTEVleJR5NmGImFHRmw+7QEQ5qE2c2bXyZb1GTDzQ2wVX4VnRppjH1sWTRtE UajHnM5X5fzgF04XbirH+iY2VaE1i/XXxtnCDZDqe60vjhqqvSVFWXJhsEnuKjv+ 7NtYiQnhHdwu8gMJj0NOSnljxiMmEqT1s7bGyS3akusIUCupcuDCOc3ale3M/YfO S9ZACGcVDWwX7oUX2aflgWiWJwmegH5Tr4xbG+W+3hiOu7WA27Dp89Km7xhwQ+9X WnJhvyBvL8bJGyEmW7/f+hUKaYAsPHYriYY0iZMnGGUn1izwYWbFEgg7wQOV5GI6 SvNCwO3ZA2hEAhKeMEuGQFBrLlkAK9huMKiRqj3xTTMIDh7SuR2gD1JIxuXAv0d5 RJApsu3jK9c0BwI6vOtukLEId3/a183hVNFbjnah+vcTP7usx20VLAQ8wdGL0ERj Eo5fveFe/QJFNBD7Zp1FnSiXL3rl5sT+0pR0SrqvbUt0lEtiDVZuw6G24axtyFKL gvyqGuT9O97dPA8qlrnREVIKgNUe4AqiEMzGf1/QGRDxfkKmYWymMU35g7nQAGad g7+B9JLAypX3rLQft1e73us/pLTVugUYTNKlOegaQGdRVtfV7p65PTyNTo5AMr0J F98CrKYjwUK+f9eBHnYn6DRs2qfb3LCEq9bFoFPyWLJNS3jv4kkczxWERQou9KRj aduI+ArRk0s1r6zgdvIG87H4bgZd7tTA3a53sO5Cj+AyAOnqRu6/MGmgJUIBkSet X1F4v8N5hBlIfoQbnDY50BNWgzajKsX1pPW1ChxlHSuf7yjSMmwlbKIqCtou4HUS N1owjGor20c92++mV/jPnqwR4gETObeUvjizxoQ780BhKVExRkDIXmh5+PoeJyjc TYlFhZl9KEnm3rDBHdzi2Kjwd/DrIPY8PbkvKfqJOcn00wzMVnfvXNbJRa7UiXFg xE4vQ5jDkxYEdkOYgaO+mVKOq+ddXDqp4hjyBbxsNHjDtdm0EtdnH7RzlOPBZ3Sg Sd/UMZOycH65KD3nZb+6/W7oxf3y3+Xp+MbIfg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/31271CDB520394EE

http://decoder.re/31271CDB520394EE

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a93ebdf53267d5d064df0fbfa5951a2ea2d503fd89e837e8600ecab8d7950ec.exe
    "C:\Users\Admin\AppData\Local\Temp\9a93ebdf53267d5d064df0fbfa5951a2ea2d503fd89e837e8600ecab8d7950ec.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\40b30142.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1908
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2628
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2708
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HTBGGANG\k2[1].rar
      Filesize

      4B

      MD5

      d3b07384d113edec49eaa6238ad5ff00

      SHA1

      f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

      SHA256

      b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

      SHA512

      0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\208A477F.exe
      Filesize

      4B

      MD5

      20879c987e2f9a916e578386d499f629

      SHA1

      c7b33ddcc42361fdb847036fc07e880b81935d5d

      SHA256

      9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

      SHA512

      bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\40b30142.bat
      Filesize

      187B

      MD5

      4a44e64f37ab1e06ec2238d4dc19f0e1

      SHA1

      2e2913c9a901892da404c6d510e13e1fa52a2de5

      SHA256

      a358601e119592f0f4589c994d9c756c6f15d4c1d0a31e38a7696359ee302489

      SHA512

      d593575a4d93646889bf07225a4421de31249911f6f8baf1937da43b3a4654202d15008b6b307900307ace2027d85e223181f29546221a5379b5dfe17b200d4b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      Filesize

      15KB

      MD5

      f7d21de5c4e81341eccd280c11ddcc9a

      SHA1

      d4e9ef10d7685d491583c6fa93ae5d9105d815bd

      SHA256

      4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

      SHA512

      e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

      Download Submit

    • C:\Users\dt5t073d3-readme.txt
      Filesize

      6KB

      MD5

      3fdfe83a451073b58f2ab7d30390b215

      SHA1

      c47f0ecd8a48d23e9f0557ce75a9a7605279e066

      SHA256

      d601caa825dbefa036c2c55e2a91a0307cde401b9ece5d6fe45a157e1495930d

      SHA512

      11bd540f8d6d8a5a63bc50e188af3bd107410ddf9443c0870d6deb9f28517687c00a25abca9a55378470ee584479670b08bd9731eda45eb0a80cd50bf0e96649

      Download Submit

    • memory/2232-12-0x0000000000810000-0x0000000000819000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2232-518-0x0000000000810000-0x0000000000819000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2700-0-0x0000000002590000-0x00000000025B7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2700-9-0x0000000000070000-0x0000000000079000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2700-8-0x0000000000070000-0x0000000000079000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2700-539-0x0000000002590000-0x00000000025B7000-memory.dmp

      Filesize

      156KB

      Download