Overview

overview

10

Static

static

10

myfile.exe

windows7-x64

10

myfile.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    myfile.exe

  • Size

    161KB

  • MD5

    aaca0b25fa85ab4507d3861697824343

  • SHA1

    527c1dc2a340dd48652aec14a6316c7af0ff74c0

  • SHA256

    6727edbb5d6abee908851a8c5fd7b4aca6d664634fdcdfc15e04502b960abbc5

  • SHA512

    4c1982d2781b174b33375f57716c89a425e2660dd40484566e1c56af2f00a258c14022a7eda76278cdb530ce67adc5f74dfc010651deaa14165dd54fb1add6f2

  • SSDEEP

    3072:Hp5SexkWi1Lbi4eTMlwDCnu/qfgh9zIeZGm:JvGWwbnWJ/RfI2G

Score
10/10
sodinokibidiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\0fd8gtm4q-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 0fd8gtm4q. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3A4DA59D30890BAA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/3A4DA59D30890BAA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: p5wuZ0WozOeNpEqqGW+JryKNKXvGp4+0AS2A6bmBctbG/VtujdzocK4z0wVFG3E2 SQG/P8aay0kqKkLY7yYCcOsuE3h2OdvBjL+PEClZwJadTVLJgbNNqBclU44rpanQ ljmMd2qidQ0sSKzqKymcQ45ycbCilvFhvDvH6zJGTGsnXs3aSDP2ta82Ned8xJIb 0VC3pmdOU2Uy5RbSbrmLgrewMpY9w1nzwS3fNCd+05PHRkL/cqmVJ/u8hwBlD4dI ZtMAeyZ/2YCV2chfCu/0Qii6NIqT4HqkIWQInWoJIc463NAHW7lyo20w0N5irbmQ JWu6myV6P6tD6+PJ+3M/hxdTxFKzcZP9MytQz/oHVVyxp9LiG+oudf2WiJQSG4oT qnIvqEvCOYLvHh+xl1zekSIIl19XF8hlIdORmE/4DoZoW2q8Rh6SO+l3rt4HqZvh eav6sRoGHmZoMCH59lL7yQ0S5hwu9MIQkfWFQD6qNC7Mc+37KqZN/3AOlaL0o6vT j5wBlMBCHjIFZiLNEgQkiP7npGfzOdnF6K7AUrQvAQ2RVa7ssSZTopYrUVuj+dKo 6cqSiuHhSLRxbmfOrnflgIBQSZlivYTjDDo6adyYl1A/FZj3PsSQj3oiW6ZrxN5X ZMu3DHbiwCZ9RGiDkOzJJ2tjKRVmrkt/6BYTCut67FXYD/pVCr+8134kU9EiPH3z DvwKf1ToakgYFWVf3bhghtcpz9CDO2R68E4G9YoodbKh4w8Psd6DpwH2anJJwlxM eBzJzXg8U7DdL+kg0Bzi1JO2O5N5PosWu1r4vJFQCQ1QHjDoDJI36cwF8qjoRKCw hVeg7IfnhCgcg9Kjj2enC1QctirfR0Xx11igWKBTDOSdK07qDkn6HIjJSobAMeJr Gr5Iz7GFcymO4tUAhdNU+otCRmp3cSJkZjtxW//QTGFV7U+pNLjBWsBZ42/jsmiG 6IAyV6HDiLN915f8TOuTBOTHkCUJRDJeVibDleeeeREAuuDhZAzQ9ETn+zwjmadY FOEpVcWmBpNl33GU7cClye1x7/3a3UOVrtLQbrm4H8qoan2ZCCetXsmh5dJeH9FG EKWgd/oIZBy1SdBNNkNtk+h/Vri15ACbmQ86Yh9pn0y9IQmf9glyzYk0lf7DNCeR Y5XUZ0mjxWJCfOaazFYY+f9QDhztycl3B27urIDYWwpipiQaK7hmjvqNoOlFdp58 Qlxbb03NSh4UbCGbQLm63AUJqWlKtQ== Extension name: 0fd8gtm4q ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3A4DA59D30890BAA

http://decryptor.top/3A4DA59D30890BAA

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 31 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\myfile.exe
    "C:\Users\Admin\AppData\Local\Temp\myfile.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\0fd8gtm4q-readme.txt
    Filesize

    6KB

    MD5

    88759f732fd8efe1e6457522df6d0faf

    SHA1

    2d9eab01e23b4b1214a6508dc49cf96901383558

    SHA256

    afe663c5b33ae274cb0efc97c4c96e2fc3f8f573d663b8c5c7178448e01186e6

    SHA512

    853afa8e77eb9aeb9d87e0e0a93df806bc430195eaab3d57e6348d1dafac26a4640f518cfe82a178a19dac96313aef56dea63019e4d69397866ccb7029ed3c20

    Download Submit