Overview

overview

10

Static

static

10

3d17a6951a...0N.exe

windows7-x64

10

3d17a6951a...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    17s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2024 02:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d17a6951aa9901375b5e9554b76c1d0N.exe

  • Size

    152KB

  • MD5

    3d17a6951aa9901375b5e9554b76c1d0

  • SHA1

    df1af8b22004c0668f2d0dde3d05ad6d5da3b0b2

  • SHA256

    9a93ebdf53267d5d064df0fbfa5951a2ea2d503fd89e837e8600ecab8d7950ec

  • SHA512

    98e5fad58c49bed4fc4c505d4f48d9fd33ae9b620ae3be28e5d0da7944c64e5f2b8da17e1154f08b9d9083fd39aa27350b63ce93a8213d8a9b2be9089075ddac

  • SSDEEP

    3072:ctchTojrZxtMhiiZHjUyWr4X5FTDUfGCH:c8kjztGiiBfW8X7DUO

Score
10/10
sodinokibi$2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq8254aspackv2discoveryevasionpersistenceprivilege_escalationransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

Decoy

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au
Attributes
  • net

    false

  • pid

    $2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

  • prc

    encsvc

    powerpnt

    ocssd

    steam

    isqlplussvc

    outlook

    sql

    ocomm

    agntsvc

    mspub

    onenote

    winword

    thebat

    excel

    mydesktopqos

    ocautoupds

    thunderbird

    synctime

    infopath

    mydesktopservice

    firefox

    oracle

    sqbcoreservice

    dbeng50

    tbirdconfig

    msaccess

    visio

    dbsnmp

    wordpad

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    8254

  • svc

    veeam

    memtas

    sql

    backup

    vss

    sophos

    svc$

    mepocs

Extracted

Path

C:\Users\y8r89bj-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension y8r89bj. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9743985CCDB6806 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/A9743985CCDB6806 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: wMIh5jthy7xOUWV+NbAZ6H05vhryQ/qsti1HNHJyX04/UXeJ6cjoTDa4lRNgUiZt GU4rhkmmavkbq4GIAqU1niDdKY9Yt1WwIww9Kbi/TzC2vqD55U1aAut2Dgd6rtyS 26w7kzgdmQwBiN8SBFUNxZxQfUNuWDnB4MuKfiJ6hk8BwnqydtHtw8aW2S8KmWIq HzQSHdfP9jULMfmSPt8GgBGNrP0DeuHvgj6NjBf6f5c/4ekDw4K6Vcb7l/cDrK2P Xq4WYYBPlGs/0xvVL5SlgqELEUzrSpjon22SEnfN/IXyUIevp4Na3DgW1nnYhdmB Zng4lifPtee4SU2SP5tCUr2AP5EtqhjS65qk8XCgE8vWCBugcpbgwpMg8N++o3IU gKd7oCe71uyLmB9+QaXTAsMQPx0NZXJwobc49Wwm4mSOHvwOhRpgeLJdNkYur+rg sv5cg6oIHHHxI4EOaGuPYYhaF41kBSvJweOEJHrOl7zz0GG8Efl6iV0zQK9tAX3R trm2VrZ5lj1z+h3vZXa4fmkslcXsw/jczkOV54LBjO0anckvwSlvc8pNI8CdtagO DZ7vyoV++jhYyvxB0S9prqC1A9heVrrXHTBC0Vlmlas74PQL7m3TCP+4orBI8pcM Y1NA5WcIaBzWQfgZdTaBFpfhxbLfuZGjeBAYxCx6muINmY6pFlX7jAJnRDvS90Xl gm3czsq0clyzSE1vQ4CtR26LFJyd5gGBHXEanHZ+HdRygER8l5Xgsp8Hflctu1yG JJMBptwPIu3aB9xAjSvpR9ZRnhsRZadX5Sdc7Elpv4LirZy8RuXxTm7qZJgDeDzZ mf1pNa8rqFAcG21YMcDaOSrNHzVUJi4kJTpgOHu6cGhdgHTCa3LDjPLs4zikt7s/ 95OOWeP1DNXmkmLMmDbltoByAdbJRjMcDBnfc0IjpXP2to4jvNXyhvM0dAX4nevi YOcbEKk+e5peH4DqGg4Y9fG7tfdNMs+HH/qntj197BJLwHLMpYVLUK5N788qo/so TxCqyFTjIFiTAuE4FGIjNmtpXCINMhqCznCNiUiOEcVjEOZ2CkgN6A+/Kc2fdA1H kQUgK2U+CoD29bM1PnymtKSB94IIkv2uxrvnjZbpxhaoshU0a2jvyRSqJoayoL9m JpL4XCK+OXD1VyiBfVtrOmL1OPnJ7Qw0+6GOGRRJVCMo2zhhtKU6bpa1hT2Ak6Ca /h2dAU9CnYpiA02TNXoc/mTBQkw8waDkfEpohhW99psN9ETQDCwcvpAPI5ACTvzL NgtZUd/JLV8KiM8BRFCZDLpZ/0aqciE/ISNbzysWrou2jjuSxSrKOtMzcnLqxGPb qPf0NRnH5jY3coy9KLeohecumUjaYWd2 ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9743985CCDB6806

http://decoder.re/A9743985CCDB6806

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d17a6951aa9901375b5e9554b76c1d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\3d17a6951aa9901375b5e9554b76c1d0N.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2ba50672.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1744
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:852
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2032
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1512
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3032
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\k1[1].rar
      Filesize

      4B

      MD5

      d3b07384d113edec49eaa6238ad5ff00

      SHA1

      f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

      SHA256

      b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

      SHA512

      0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\28AD5F50.exe
      Filesize

      4B

      MD5

      20879c987e2f9a916e578386d499f629

      SHA1

      c7b33ddcc42361fdb847036fc07e880b81935d5d

      SHA256

      9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

      SHA512

      bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2ba50672.bat
      Filesize

      187B

      MD5

      d79f1a1f4b2dd482444ac946377f9e28

      SHA1

      82bc70faf2b30503602fc062ccb02046cbc29c93

      SHA256

      286fd6aeb1ccaa326f3ab1b35f3707947b8a3b995ede5703a61da473c352f66e

      SHA512

      9b66ea737ad8de11c35877890832d42cee87f74089ded78beb38cb0740db7dd7a4b0f559414cf63eca9108f0cd677d7bc23bd99e03ae8ceb83f580a28f91e8c1

      Download Submit

    • C:\Users\y8r89bj-readme.txt
      Filesize

      6KB

      MD5

      899b94130bc4ccc1e9caa6bf68dd31d1

      SHA1

      e36810f423a853ab42753fb08f6609197b7ab1eb

      SHA256

      db4aa8e07a9a0e3908a290418ca448a3f08f9485c8dedf2f08556c39200ca04f

      SHA512

      2973bb25ac4f0fc24a1a02dcb8bfb6136fde9f696adbd23a9c2dbb5877f7d537226bf66f849f5cffe99b71f0100524360d4df643b592a6489fd952471252413b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\DFoPDh.exe
      Filesize

      15KB

      MD5

      f7d21de5c4e81341eccd280c11ddcc9a

      SHA1

      d4e9ef10d7685d491583c6fa93ae5d9105d815bd

      SHA256

      4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

      SHA512

      e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

      Download Submit

    • memory/2296-2-0x0000000002390000-0x00000000023B7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2296-3-0x0000000000070000-0x0000000000079000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2296-9-0x0000000000070000-0x0000000000079000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2296-567-0x0000000002390000-0x00000000023B7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2296-570-0x0000000002390000-0x00000000023B7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2308-12-0x0000000000320000-0x0000000000329000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2308-554-0x0000000000320000-0x0000000000329000-memory.dmp

      Filesize

      36KB

      Download