Overview

overview

10

Static

static

10

2aef1134cb...8e.exe

windows10-2004-x64

10

Resubmissions

11-08-2024 04:29

240811-e4cpqavfmp 10

11-08-2024 02:35

240811-c2187avfqa 10

18-02-2021 14:36

210218-e988k496be 10

Analysis

  • max time kernel
    77s
  • max time network
    84s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2024 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2aef1134cb696c922a06b71d58058d44e804391ff44cc5cd54335a1438fba58e.exe

  • Size

    118KB

  • MD5

    9c08dfc58885a9a7beca989ea5ee9108

  • SHA1

    ce2f51348da7a19dbf0e79b64f9eb8e46f45efa3

  • SHA256

    2aef1134cb696c922a06b71d58058d44e804391ff44cc5cd54335a1438fba58e

  • SHA512

    34cf39e4976f264f31b3236cca87aeca04ebc447fe99b35bbb72dd126462eed78310954fcdebab48b1f3ad9eaf5efe22ad8405b12d80ddd357244138067a1ae2

  • SSDEEP

    1536:pRGfmACfvCHeQ5EJRDKiMIfB6Ym5p/eyxICS4AxpoC3/0bZ2YySvKxBPyAU0DeWj:omRj6YaWm8/0bZCSvKDyhVv

Score
10/10
sodinokibicredential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\d38vws2ov6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension d38vws2ov6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Data leak [+] First of all we have uploaded more then 300 GB archived data from \\UDATA. Example of data: - Accounting - Finance - Personal Data - Banking data - Strategic sourcing - Management - Projects, plans - Immigrants info - Confidential files And more other... Our blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/ Read what happens to those who do not pay. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5DA3E1805DFB79EF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/5DA3E1805DFB79EF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: buuDuH8fOtzViJxlRcVcywjbaJeRt3BRLo1ULI5QzamtEhmruzBBeKAa1D4lYqCw NSFYx1fNcLxuIjRV7vBxsqW94sqrhzhlG9ICf2MB+WY52b0EsrZFbr8E+m7LJh+y a823sazTZJ2u97wDerpSbLtsL3xrYPynaP4eFcZiNK/d7NQrPUqF3f2ZA3LJBu9J SBGV4srY7Xs4YfrLI8UVvhK5zsTS9VrkzdzV0gtXD3b03p4JS/jpwmS7W/lsdJBE /J6TSw8EkA4CoWLJgWN+WqcGbS8Xf0wGsF25HNBH4ZTBdtrZ/En2OY66zmhCSavy wLJmZxmrbneRWXVj4DSupZyF5WRSs+Pro+2JMJ1OP3i6RmWazXW+FI2Dkt5d0hSp ghhIdoQXgQtgdKdEpZPToljWWr8DtRFefSFh70NtTkbE8dpJUL9tE9u4a8690KCh xRVsHj3MoPXWUcESicSXyeO/T5UJe3yT+pLjbGE8m5KDOZ6XOdsmQpEBCe0qudGi /VnY5Vw87i1biKQ6kERTbAZjkfaMzCBIKxfxGpm3RoKMurAy9ElN11TrtV8HRlvy jgWMXAMAGgTo92Mbsw6+WBLqw1E/f/fdE/YkI358EefaFuhqglCHTn0kK/XaAhMP DHaBMpKYXLpm0qFfBg4Af2N2+a6/UA4DfN3UQZI3iDVT9E/fb1bZPIxH7aWRhDCg jUlJw4N+6czejbluCK++Li4vKvl/1u5vCYKAH1NWmCL/Ehv2lYgKuD3snyrkF2Y6 LrJm4vRP1HwuUBYCoNAJ0xqKxbWUeiW7tLkbeqIaatc/AYpCh+hLIlHkwSVa//tv lMTNtK5GXk0tVSsThshcZHe6CoKT4V/t3jE9IPo56jk8mJRBtWg0xcKeElCD5J+D O4qSzW+trdIsK4OoHEpHEI+Ek8j+P4aS8SNm23Lby1js5SBopDq8aF0hv6fp8lsG b7mkBTcZ/AbLBNhjFAvLDsakEGZLGPfHNzbXxNHqBu1XLgr4T7gUhNyF5uEWaZPi 6Hg16FJdwA/RxIyiP9Wr4+xjLlD+pzW+XQv5ipoxzXEto0x+erTyf0M1UsLWuV4m 2gHLBkF/f9YnoeNbE/2lCokXNJt84MzBR5cOefSNc/+mSSSxer/6+6ET60M6sVk9 zGcYQyqkmTLroErfBIkkn3SYZHPC5miSAZSIfN038wcjJhQrTkpAFVyGH4cdOQbL FhpukAMm2T4ptIldadOiVB4Dm4cEugEYzB9VwhtPUvdtS1Ncf/NRgPXZHQOaHXk/ px62+6AEokrEQx4a6cFeJlAHlP7DzRi9qYck47RpaZ+9jXPZKibGgeTvktV+XjFw LblCEpJJYJ4/Vvychb35ZfztL1gBPAF8kiS5UqC9k5Id+DmFRYhvHqqw6kJ9TQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5DA3E1805DFB79EF

http://decoder.re/5DA3E1805DFB79EF

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 19 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2aef1134cb696c922a06b71d58058d44e804391ff44cc5cd54335a1438fba58e.exe
    "C:\Users\Admin\AppData\Local\Temp\2aef1134cb696c922a06b71d58058d44e804391ff44cc5cd54335a1438fba58e.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1552
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:612
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4956
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5532
      • C:\Users\Admin\AppData\Local\Temp\2aef1134cb696c922a06b71d58058d44e804391ff44cc5cd54335a1438fba58e.exe
        "C:\Users\Admin\AppData\Local\Temp\2aef1134cb696c922a06b71d58058d44e804391ff44cc5cd54335a1438fba58e.exe"
        1⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        PID:5856
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\d38vws2ov6-readme.txt
        1⤵
          PID:6088

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\d38vws2ov6-readme.txt
          Filesize

          8KB

          MD5

          d38e8ee353080716c72a5d97401f7653

          SHA1

          5e598f03c76fd8c77e8b3147e1e8297edffa75a0

          SHA256

          95fb6d7a8949bad243c0d2ceb2ee1c5212ad1df420094d040fb4825eb268c43e

          SHA512

          afb26e75e08146c6ef00c6daa4f5d4ecad9cfa14762734a93cd09fb9cbe7bde395aee637640953033e781b1dc2ca1c7a85b5bc50a9034390c0188e15b97afd3c

          Download Submit