Overview

overview

10

Static

static

10

2aef1134cb...8e.exe

windows7-x64

10

2aef1134cb...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2aef1134cb696c922a06b71d58058d44e804391ff44cc5cd54335a1438fba58e.exe

  • Size

    118KB

  • MD5

    9c08dfc58885a9a7beca989ea5ee9108

  • SHA1

    ce2f51348da7a19dbf0e79b64f9eb8e46f45efa3

  • SHA256

    2aef1134cb696c922a06b71d58058d44e804391ff44cc5cd54335a1438fba58e

  • SHA512

    34cf39e4976f264f31b3236cca87aeca04ebc447fe99b35bbb72dd126462eed78310954fcdebab48b1f3ad9eaf5efe22ad8405b12d80ddd357244138067a1ae2

  • SSDEEP

    1536:pRGfmACfvCHeQ5EJRDKiMIfB6Ym5p/eyxICS4AxpoC3/0bZ2YySvKxBPyAU0DeWj:omRj6YaWm8/0bZCSvKDyhVv

Score
10/10
sodinokibicredential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\5ff5vl9-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 5ff5vl9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Data leak [+] First of all we have uploaded more then 300 GB archived data from \\UDATA. Example of data: - Accounting - Finance - Personal Data - Banking data - Strategic sourcing - Management - Projects, plans - Immigrants info - Confidential files And more other... Our blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/ Read what happens to those who do not pay. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A2926C1C661E195F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/A2926C1C661E195F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: UZhIAgWwqAzBPJgdZCpHEYKPWryYXrLA4/OonxRND8pDSRkLa/xSGCTPPReeKMqp OlvcJ+/T/h37LChBqhux+aWmM9M29rcDBfuj23dnPrTkf2ui/H3yMHlosXJozsTm sXwa+s846rk1Q1nQ778MCYiTaaSWMgi2tMMAd3k6rEmT7HD/v/IK3Y4Fc5R77cu1 pEVaqBab3Pe2xrS2nRFnu1rDYd/Jrs9MohaPXcBi/MTi4yLpYInRUPaIAlCFNgX6 IUM9VAFqwRc56L6fNxvpXQsJzcwUNz258laR+qc4YllvKvLIKmFlSoHE6fWpm+z5 OHHTe9v1CKTY9kf9eN/82o/N010S2pus7JDIVAtMF3vOVAld3otb/O69Navy8UU1 r52DfOpa85GdhbrgdezefiC95hkvpeqtCj5r1lDdQ72sAkLplsodlIzXVjwnzOo1 mVFEqRX4TldHUInm5B9MJ8GLzm3mIp61i5sUL9c5juwYLOjaOFNRytjpmd70G88T aD/fTMCfKfK6WqmmCYs97hGpJFDscgrB1O4ntLVkKrvXZGZ8R5zCOvqDmr5LNIhU AiJDS+nCks/b7U3cxee6jy7nu4WKhwZmYoIkgfbKNkWO8VBXCNw6e2it1x/q4NLA 8HJouo+OD7Lry5ita1dz24Wq1aXdS2RXiP+cvQFnx3YYnQBUDbFeT1KVaZs7sTvp SBCy4Fht2zWC5guyX2q1OFa9drBZUrZr7yThSVoIi++4JWwCUS72s1IlK5479O5s 5aV3O3pd8mxzQpNPJTnU5O/Maf0P9kN4x+Co1XbLcOnnpSFB4KpJI7Mez2qA3ID2 rh7MIy1hoTdbTKULOJ1Fv+P0ErF5apMfMQ0QNSUfa3ZsIIIRnWLq3zqQxua1Cz4S 8wX+joDXCPYgvScmrkfylcgmxKIjOb8t+Q9rxjWR4LojYCgLMhMI5MQlWuz1VVLR EGr7RH3UqU7hkTV3T7DaauiDn3RKrqbKlboutKaXBHIknftKJzB59eZmP3Smmj1o XuMJB/Pz6hWRbmCr9auIAhDMInaHY0tuLipfmxVddmGgxnvb7ncbEKiNyx73/U39 80uRKPxHeMYOOdOKZZpMwipEEGJN9U9iYrvTkz2A/a3umvCuvB4/UawUSI73JbJz WT0Rc5sSgOSoFZITPE20AFHghs40QPVf0HBhOOS4+v4VEyddybqdAJEsE+TZC9qD CvkqcKSjYZewcVjr6QRuNaP/hqd9fqcd2eilxN8lSFFmerF5ldS4iCWO2/WU+4Gv bXJNd6F4RNS3JX0/ZElbA9fW8goekA0PXshSBJk6t02b9gtecj2ohstVER2ghUt6 uhNUWPnrUyYZn0Bz30QchDML3JKYtewLs6Tqbshf2cavIg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A2926C1C661E195F

http://decoder.re/A2926C1C661E195F

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 27 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2aef1134cb696c922a06b71d58058d44e804391ff44cc5cd54335a1438fba58e.exe
    "C:\Users\Admin\AppData\Local\Temp\2aef1134cb696c922a06b71d58058d44e804391ff44cc5cd54335a1438fba58e.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3024
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2916
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\5ff5vl9-readme.txt
      Filesize

      8KB

      MD5

      e0d68712d1c93004521fcee2a9cf2d80

      SHA1

      c9c67b3bb7276afb03522ce5912e65396f1bdb8b

      SHA256

      16e25d20ff0971ac8d51b158b1d87f66bc7c2b32cbd05e8754ec37a94c2433c5

      SHA512

      66100c233284ac59ef915eb8e18a3b26cb67738048ecb9e926a1a317fc359892630a252ddb8085b33056610326c397c3ad252317362f6cae3106992efe6d4379

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab199B.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar19EC.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      191KB

      MD5

      11a3740edce2eac6887381debfd12500

      SHA1

      a1cb7555c09a95a42b24061a5c0464221c0c5ca5

      SHA256

      eec52bd41758986d3fa2c5b30d178cf6bd513cc8c2cd8185e8b45a1bce20d828

      SHA512

      c8431b1726db94350b34dc041b68ce77d7920b563c7456c98bb1316c6d4827aef5fc0543d33c324364b90a86219497c0cb976cfd10e26ea132e8fb8ba9839bc2

      Download Submit