Overview

overview

10

Static

static

10

6727edbb5d...c5.exe

windows7-x64

10

6727edbb5d...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 01:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6727edbb5d6abee908851a8c5fd7b4aca6d664634fdcdfc15e04502b960abbc5.exe

  • Size

    161KB

  • MD5

    aaca0b25fa85ab4507d3861697824343

  • SHA1

    527c1dc2a340dd48652aec14a6316c7af0ff74c0

  • SHA256

    6727edbb5d6abee908851a8c5fd7b4aca6d664634fdcdfc15e04502b960abbc5

  • SHA512

    4c1982d2781b174b33375f57716c89a425e2660dd40484566e1c56af2f00a258c14022a7eda76278cdb530ce67adc5f74dfc010651deaa14165dd54fb1add6f2

  • SSDEEP

    3072:Hp5SexkWi1Lbi4eTMlwDCnu/qfgh9zIeZGm:JvGWwbnWJ/RfI2G

Score
10/10
sodinokibidiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\613bo4vue0-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 613bo4vue0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ECBE2D33F52C643F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/ECBE2D33F52C643F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: z321p+mi96m2cKX0bno4ypmiD1a6MK0nSA+NvIQfmceCzTag/TwhqF+2LzzFlQOd 7Mj4EeqnoRHDA/ByLD+DGAz9/v8jPxn8jHNC8mOT5qRrIrosMXIPwXiCR9kMng9g o3giitMun42MmEkoC95VBThRP5hcGxwkLFLYWFtlZLnVirDhPAMzuCXyxmkGLjBg 7H+cutcAlrPgBJ57o5GeehRr04alJrdHJJUOTR48PCm2XhbznLRXYEU1USTGQQ+5 bo+0OKmEcE8a0TkxkHSXtPB93IkOENaKyxMVRPm4wKwk5xWJ9C0OobiCeaV2UK1e UFWpWqB50vTppx23IwtsBeXUxbTI+S3bnSt82EcwbtOlLou0HqXPfRRbq/5GkNlS 5suZLB6XxEHlWS9rjrePvzuEwBPXotFinGR+I25Oyk58RNN87sJyX2gRY43eJoyP eD9hndtSTwHihkZW7vnFuhVQ0ptWuFmPZelQ7oxWrMkeyKjd7Z22fR+gB/yUbJha 9gyMVEkmAwrdQXiaREE5I/BBYTzzsGP5Ndo2N4kfHysh1IV70jn03P+HWVXSfVXS khCpRf4ZhFFXMIzjreWfAJQd1j283f0DQ4P3Eqg62LFHUtBKh83qgMpI1fTHJ7g5 kjVP969LkQoewiDqmzrkXbn4xHfVxxNliAhZ8DjJZLilNYyNOedGsDCvlZW+tAUO P/fq3uNiCCtwKNdxKvyez7NObpXDsUdjYhEy65USP+to5la1E0TGNsTAO5idazQj rZVsah9c39cbMY7r0CzOVyZM9vsda47R9zhQgFOCMN7pxI6/ut30XpuKks+bIK+B nvXQrAvHSGq7/N9QP8riXbohrdhKSfWcsO+IQ0lSZPcjD3opO9S39wYhYEtLdABW mfhjFBunpjCLa+gYlMKUjhlTxudsmB3TkXzEG0L25yBm8XX3vE/c0BygWX5I5hhf SYoqv5ecQ7P2CBjUtC1NzZwUrEGPmnugxMnX+GuneZDnEb/PLHa3Zxw7+9Ma4nkh qNXjpeq6HNde6zsiEtsslIVKwKVleSZNfO6RSo78G54nqEOd6HXqAhazJlg/JM3K /trQqJdaiY/JLlNLfnCcmAfY8JEMn+UFR01lTfZatqTD/4AY+jP56RFh3FbNxJ4j 22gtH/y0jwH/Y2BbHTrtqaEPvwoUCaWZbJi1PDAKRCFWX/gUmYrbl0nL25E+J/b5 SVrycdEwyNFFTE+uylSRY5S8gflffgrp Extension name: 613bo4vue0 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ECBE2D33F52C643F

http://decryptor.top/ECBE2D33F52C643F

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 39 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6727edbb5d6abee908851a8c5fd7b4aca6d664634fdcdfc15e04502b960abbc5.exe
    "C:\Users\Admin\AppData\Local\Temp\6727edbb5d6abee908851a8c5fd7b4aca6d664634fdcdfc15e04502b960abbc5.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\613bo4vue0-readme.txt
    Filesize

    6KB

    MD5

    c6e9b89b2c6255c87ed1aff1ca973e62

    SHA1

    444b9b956af9e729ccbb5a249053c349fd18868d

    SHA256

    1ccb5348b14ea609049152168f042214b60e21942cd58abc18957df5a5c28cc7

    SHA512

    febe9a91a6d3582db54b6b7275f8d38ccd7f112d54deb4415edd679b914d2f8e37f591edd383c9eb99a8fd1bcb07bfd53559bffe7cf9f30e5099de45cc708ef9

    Download Submit