Overview

overview

10

Static

static

10

9a93ebdf53...ec.exe

windows7-x64

10

9a93ebdf53...ec.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a93ebdf53267d5d064df0fbfa5951a2ea2d503fd89e837e8600ecab8d7950ec.exe

  • Size

    152KB

  • MD5

    3d17a6951aa9901375b5e9554b76c1d0

  • SHA1

    df1af8b22004c0668f2d0dde3d05ad6d5da3b0b2

  • SHA256

    9a93ebdf53267d5d064df0fbfa5951a2ea2d503fd89e837e8600ecab8d7950ec

  • SHA512

    98e5fad58c49bed4fc4c505d4f48d9fd33ae9b620ae3be28e5d0da7944c64e5f2b8da17e1154f08b9d9083fd39aa27350b63ce93a8213d8a9b2be9089075ddac

  • SSDEEP

    3072:ctchTojrZxtMhiiZHjUyWr4X5FTDUfGCH:c8kjztGiiBfW8X7DUO

Score
10/10
sodinokibi$2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq8254aspackv2discoveryevasionpersistenceprivilege_escalationransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

Decoy

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au
Attributes
  • net

    false

  • pid

    $2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

  • prc

    encsvc

    powerpnt

    ocssd

    steam

    isqlplussvc

    outlook

    sql

    ocomm

    agntsvc

    mspub

    onenote

    winword

    thebat

    excel

    mydesktopqos

    ocautoupds

    thunderbird

    synctime

    infopath

    mydesktopservice

    firefox

    oracle

    sqbcoreservice

    dbeng50

    tbirdconfig

    msaccess

    visio

    dbsnmp

    wordpad

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    8254

  • svc

    veeam

    memtas

    sql

    backup

    vss

    sophos

    svc$

    mepocs

Extracted

Path

C:\Users\1wh2ud8-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1wh2ud8. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0CCCFB142B54D1CC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/0CCCFB142B54D1CC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 8kk86Xj62t7G0yDwDr+fUKbScYAmze8ZS+4/v7JND7nlTsnj58hqNaE7uCi9Auco eEI5YGRV4tPWOwWVdyy9e23thVkfTwXBrytIf+ib+FuZ6Ph6KSg6/GybgDxTUjnS sdGaQENWblFVCX5ovK1VQHj1GubTgbH+cGs86rUzWnQyiI8uCCmi8Z/uWGEzQpAH NzOwky1QB+2kTxZ0It54D0sgocHK0Q96Idil5i4pC7BcH8uBycXiW4shovsfrFDK KP0ycBmjqWR6nLvBQ6yXt7IbUuyRgCr/7XDKA/06Aa2BIlbzC7DJZmARvZHD6egY KHX4okbF6l+fiPrnKEI5zgjDYJMKBBtz2YpOMMoLt/pDcuADcc2DnGJoVYZ/U9pd jIsiKy3HnIb/kuX50BCEGDKBk1gc0xwU64gmpuusy9VE7rLf3Ljs/zTakS02o9+k HUn+mFPkin+hM3hvzrPz8vETu2Qi1Hgx2gr0BG9TYLrGKTMx3HBqbLIqE4pPO28O UwqWpVN++o6vlukGMpKh/VY+O7uG+1kNA00lZ/sVXPaAI4pr4/o8VXMxsye1/4k3 AidaJRW5lFQTeOVo41EJVNupE9aa6dFeMVzF0s1Q6nH68S3rqLDbGyP2kDZZ4yuD dj2hNV3P8i5V06ETNoRxxce2ONNLyvvIYSpfQdUrMuKhN0Ba6gY14u1PpB1V/mYh 8P3Amzqd9fpGmCrj8SdQj4nUuK+s3G+KdULAfg+68bSBhJyfp/LsG7KeJRbw8dST Fo3p0MdIeHKgLMpDN5IXv+anAKI0f1O5wuIenVJwQ844fKhai+P+Jtkgnx8jLPoG 3nawydaE1Kqd8N7/Om0PFE1Boh5gq1mPiNIqBCV+0Sj6olT6Ksy2ladA+F45atgg 1hvJtoayxUJANkLHNerV6N/dmj1AU+IXFvPoPUoHYn+EuwCjDlYOsv2EWw5VYJRd MHZywDR0gJ8mfNRqMkTJtwyomgKkfWPucev4UlbM3dhqWh7vWn+8VKSiFIinthB9 e1Kvt3o18E+oQTBA2b1ErUDhWFbhD8V4uEvEtlruL7jXMwKJwAqu5gHn2iw66zFp jOJL8gRDG2WX9X0JFdA+/abOVGexdc3qH8cD4vCuFBH6PQQ/OQAUr5lZxYzPpNqT /zeAmZZ5l5RIHQXK2BinA+t7ZszvxCd8FDngCT9k2ghwWi+6dvMjr9/wsX5SZ3aw ZWK0+AVJ6dQurfkeEdtOh24+Q5/FoZYI+0tfHUbVAwBjpOq5foynJ3ac/VUBl4TS zCERGVhqUtvGAewvgWdodRHJIs0Znn/1EL6ydzJ2OnDyNDiGxrWFmn7v6Nlf6wpA YVhADHJq6TpvWKAc1ilOyH3+mcPun5LTcCJdoAwl ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0CCCFB142B54D1CC

http://decoder.re/0CCCFB142B54D1CC

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a93ebdf53267d5d064df0fbfa5951a2ea2d503fd89e837e8600ecab8d7950ec.exe
    "C:\Users\Admin\AppData\Local\Temp\9a93ebdf53267d5d064df0fbfa5951a2ea2d503fd89e837e8600ecab8d7950ec.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10250f37.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2404
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:3216
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1412
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\1wh2ud8-readme.txt
      Filesize

      6KB

      MD5

      29ee58b4071b6e60fc0dc5badc3df13c

      SHA1

      378d324d4d0c62867d450af297f04d87683f8e9d

      SHA256

      c5d854d92607ba79255ba45b3f83d8d22912156373922d15560322a4b1717df0

      SHA512

      120f89a5571e1030b57337207842e0dd01037d4550faa6f1f92595e00fdf60297f5552f279318378460c612badf8a4be3c0a38b48d0e4dd29ca93f8521a859ea

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I0E3LJN0\k2[1].rar
      Filesize

      4B

      MD5

      d3b07384d113edec49eaa6238ad5ff00

      SHA1

      f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

      SHA256

      b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

      SHA512

      0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10250f37.bat
      Filesize

      187B

      MD5

      18dac4dee0501d2957ea3eb95aaca974

      SHA1

      a2809e166facc75f5c3dadaeb58e79a6c32ffd01

      SHA256

      b6a6115775afc2084b6a99804a5bc2889255492fc26d1fe5ebafc753fe277e2e

      SHA512

      75ded7c296b59d7721f44632f005f33dc71aac5ce943680e8a92a6e57b9fa0f2bb80e5d46d2ccdba2f90b9048259819e4fc522bb1f23c70caa9713ebdfcef893

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\731721CB.exe
      Filesize

      4B

      MD5

      20879c987e2f9a916e578386d499f629

      SHA1

      c7b33ddcc42361fdb847036fc07e880b81935d5d

      SHA256

      9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

      SHA512

      bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      Filesize

      15KB

      MD5

      f7d21de5c4e81341eccd280c11ddcc9a

      SHA1

      d4e9ef10d7685d491583c6fa93ae5d9105d815bd

      SHA256

      4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

      SHA512

      e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

      Download Submit

    • memory/2312-5-0x0000000000AD0000-0x0000000000AD9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2312-46-0x0000000000AD0000-0x0000000000AD9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2688-0-0x0000000002110000-0x0000000002137000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2688-471-0x0000000002110000-0x0000000002137000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2688-475-0x0000000002110000-0x0000000002137000-memory.dmp

      Filesize

      156KB

      Download