Overview

overview

10

Static

static

10

3d17a6951a...0N.exe

windows7-x64

10

3d17a6951a...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 02:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d17a6951aa9901375b5e9554b76c1d0N.exe

  • Size

    152KB

  • MD5

    3d17a6951aa9901375b5e9554b76c1d0

  • SHA1

    df1af8b22004c0668f2d0dde3d05ad6d5da3b0b2

  • SHA256

    9a93ebdf53267d5d064df0fbfa5951a2ea2d503fd89e837e8600ecab8d7950ec

  • SHA512

    98e5fad58c49bed4fc4c505d4f48d9fd33ae9b620ae3be28e5d0da7944c64e5f2b8da17e1154f08b9d9083fd39aa27350b63ce93a8213d8a9b2be9089075ddac

  • SSDEEP

    3072:ctchTojrZxtMhiiZHjUyWr4X5FTDUfGCH:c8kjztGiiBfW8X7DUO

Score
10/10
sodinokibi$2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq8254aspackv2discoveryevasionpersistenceprivilege_escalationransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

Decoy

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au
Attributes
  • net

    false

  • pid

    $2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

  • prc

    encsvc

    powerpnt

    ocssd

    steam

    isqlplussvc

    outlook

    sql

    ocomm

    agntsvc

    mspub

    onenote

    winword

    thebat

    excel

    mydesktopqos

    ocautoupds

    thunderbird

    synctime

    infopath

    mydesktopservice

    firefox

    oracle

    sqbcoreservice

    dbeng50

    tbirdconfig

    msaccess

    visio

    dbsnmp

    wordpad

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    8254

  • svc

    veeam

    memtas

    sql

    backup

    vss

    sophos

    svc$

    mepocs

Extracted

Path

C:\Users\f7necaa2g-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension f7necaa2g. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/41BFC4A55BD7320C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/41BFC4A55BD7320C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: QCRkwavRkyJZSkRmvo/1B5/LhHHpjzdn+Xa5J0+nHgN2UjI8995OenH25Cju36ku hr3n5tOHkEK0nFuCI81aVu4S4TYW799tgMCF1uNI/5r4k5m/gFmFQGq5S4ymJ2/f PX1IGqLAljplmzyjj3bKkK8qUHEfKr+GKi4bwnFyUQPlZAHBGhl+8bqhhXv4yxgk vKoeUqxOsMo1VShMczUAlrzPthRLv/vZI9MW6SIsMDkOcCh6Z5+WjXMHLB2gQWuE XmldkYsGRNWi8kYxE0NfEDXrLZNmOvR2eiQzmoKOsNRpq9rLguDViOYu++7kxLLX 2en6xnT0cFFAqMQtdHdbqdiTpF41vsxYpbcR0PPU184rDVPsUuJvz9QpEMH8h/Jv okWKZWYjDPxHxPuieeaeD8YMT1231gdvLDk7YNm2cajFBGGsFchBcLwrOdAGgtNO r+Bvqf5umRp0OABAPpEc/V+v4vjfeZoxfkcmOogunEoA6363edmHZW/z1J741pTI IimoSiREYXIaUgxQvD+MVBY5TBO13/Rico9gC481QMamm5Trl+o5a1hkGttitQrt 8ZlpP4+R99OYimGO5ZW4s0YZdUSAvhqjZ1UfsxRid3jxAqK2qPh5CHG1qo9+1nbd sWe1Tln56RAVtEubPx7BWt6T7SrxHVzTp5R1JGbS/gpzllnC+1YXgnjzJZr2vLLX SSu3qh+arf0pzZnD8Ihh/8gEJYayH70LBqI7YxpVcfOtjhSe24Bv2fezURrJS7zz vAhqgePqTkRZGsXT5BSWE/Oc34SxnCV2+P0cMfCU8olvz+xcLoH7eRBq8uzU0wXJ QnkG6qeHlxpBJ57Oam4MFM3aO5zx3/AoiHudmvw+MQjkX8wkxgFAou9PHkTKpEGa vFT1bQiGXTw1J9TH5bDojhrzAZsPCYt5IyrJ5CDz0rm48lFqkEKiF+BsDM4wRT23 XlzjBEKcz6Urw8wHjj/82js9W1Pvq5nvJUAF0BV9zFEfRqo/ObD0B38ZaZM1ooND O8KEspwVakRbuqhndXC93OYRwLzT9bXn8lVb0Pr49WZSzxxw85BrO39vGLPvAE5d aEJGRUFU/LpC5qRI/VV5XrC+avmBocXqS8g84EwdK9L+aHD9zlPvmGdM9jMXHZxb AcGGP0SHAxxNYY1nGA2BX0FPbWAfRc/fGLW0Y89xaTIBBJ8XlFBM5WUSoh4tKxZt 91Ql2zD00RX03Y+PpcjorB+0iygTekcx+LeRcRmdB8kfgyi3LkFwyKNlSZgX7sCu IZmtMtstb8XjMzSIE6lne7Cg9N3xdPz58TrCrzmzPuxIcMzE8b1UKB7YBt0kjpgb eSQ4zHQcQ61S6cn82HskXKCanyCd0Bn36MGqvoaGPxhNXA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/41BFC4A55BD7320C

http://decoder.re/41BFC4A55BD7320C

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d17a6951aa9901375b5e9554b76c1d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\3d17a6951aa9901375b5e9554b76c1d0N.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\56ad7656.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4724
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:4476
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4792
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCRJMNF7\k2[1].rar
      Filesize

      4B

      MD5

      d3b07384d113edec49eaa6238ad5ff00

      SHA1

      f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

      SHA256

      b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

      SHA512

      0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\0EDB5347.exe
      Filesize

      4B

      MD5

      20879c987e2f9a916e578386d499f629

      SHA1

      c7b33ddcc42361fdb847036fc07e880b81935d5d

      SHA256

      9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

      SHA512

      bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\56ad7656.bat
      Filesize

      187B

      MD5

      25d14aa146a04dd5841e43036c0b6d37

      SHA1

      56061a02565551d867c34723f42711e10f1607c6

      SHA256

      95da9ac1912e146215a026b27fe0b1e2696dba7b8485eb37e80ce01499362228

      SHA512

      6bc6a96c97d1a96f3c0b8f8d3a3274e4c7903a25461ba4b7e4ecc946271d5b986ad74d896611e5aa263d378f69b7030e7d10e52d7ba102a1ee768531d8f52220

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DFoPDh.exe
      Filesize

      15KB

      MD5

      f7d21de5c4e81341eccd280c11ddcc9a

      SHA1

      d4e9ef10d7685d491583c6fa93ae5d9105d815bd

      SHA256

      4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

      SHA512

      e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

      Download Submit

    • C:\Users\f7necaa2g-readme.txt
      Filesize

      6KB

      MD5

      0f204f777086d1ac24ef9ea83b455a74

      SHA1

      e31f308311714af9e4b6a42eecdf7c4e3baea99f

      SHA256

      04df56ede75d8a5a19723beafd378e92659ff96572ee7f6ce72c66ee2b55bc38

      SHA512

      89aaec87569b26ed656998c26a775eab02aa56ae87987b4d737f13db26054c683d66b2d30a3c902501751f7365fb607a7b17b7679238ec3f13f0c772ffe04d85

      Download Submit

    • memory/3704-5-0x0000000000970000-0x0000000000979000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3704-47-0x0000000000970000-0x0000000000979000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4488-0-0x0000000001E70000-0x0000000001E97000-memory.dmp

      Filesize

      156KB

      Download

    • memory/4488-486-0x0000000001E70000-0x0000000001E97000-memory.dmp

      Filesize

      156KB

      Download

    • memory/4488-490-0x0000000001E70000-0x0000000001E97000-memory.dmp

      Filesize

      156KB

      Download