Resubmissions

11-12-2024 15:19

241211-sqgcmssnbr 10

09-12-2024 01:54

241209-cbqprsxngx 10

26-11-2024 23:15

241126-28wpqa1ndp 10

30-09-2024 21:45

240930-1l2rsazhpg 10

15-09-2024 22:03

240915-1yl7vsvbpf 10

15-09-2024 20:03

240915-ystcwa1elr 10

20-08-2024 16:21

240820-ttt9cawalj 10

24-06-2024 04:58

240624-fmba1a1djm 10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 22:03

General

  • Target

    v2.exe

  • Size

    121KB

  • MD5

    944ed18066724dc6ca3fb3d72e4b9bdf

  • SHA1

    1a19c8793cd783a5bb89777f5bc09e580f97ce29

  • SHA256

    74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f

  • SHA512

    a4d23cba68205350ae58920479cb52836f9c6dac20d1634993f3758a1e5866f40b0296226341958d1200e1fcd292b8138c41a9ed8911d7abeaa223a06bfe4ad3

  • SSDEEP

    1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZs/WVEdz725sK:J1MZwlLk9Bm3uW/Wud2K36cn/wCY

Malware Config

Extracted

Path

C:\Recovery\474w9n-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 474w9n. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C01D3D0DF894AE75 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/C01D3D0DF894AE75 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jnMy4ZRPqYbh5Wcty1ZBfVebMtWwhPAAFA4jQtIxM+mjM2389V2Cfvbmhxl1UYX4 V+kxV93Di1kRV2PyZGurbTTTTg/6GPojyj7FGXroS7iZzJARDJ7kiL/2GhBlNIt8 DMeKlgCEOU3rmmypk9uNmPUo2aMNIuGx67AYPdkSN00yRghw1e/xPiJwcMPxMxhZ Er8rvdt6gpuWlgMZmvrYP6rXFPtPyzSLJwIlKpojf3rRhbEWF77SY5aVnCsCW/79 255eFQ0xGEb+tx6gpsyWC5555ppcxk4XDVSB8y1AunAKOERxrjl85XTOPf8Yr6o7 FKd/c8xZLhZ6t577dlI+CGwSGfCJF/I4L8Ku34MfluIUc2QKNgamNRi1DYMcwWuN BYhZ7HCHyq3uHqOk+6mf4zezuJ6038r/QS6CNsmj/tNV8gtMMEt6xB65m0bG0K7c 5JuohnGe6cYYjBlLMvjUHf0ZkWf5TWNYHZJoG6qoVhFiC8e/U2vnY9G/RvykR5Z9 xdiIjqt7WgYLTb4aTHmcLdMWTVNWWcOmYtbYNZ2NK3sgxaat92eSGXL8S1qvrdBh +aKNcYc3jCLHeADgHw2Rdzt+qiIb+ERCi2XK9So4m57Jig5qdhuq5CztTKcJtfPV SwKjDsilISCLG5XAf4ergO9Ix+qguWS62Mv1zRz+Cj5+ltRCXHw0jbyKcv3ffVFW C6Hdr4SEXKu5Pkrl42f9LIycz3+FQ3yEBahT9/eM8WhtQRFvinbn9yA078xxJB8B LeIEIXvSl0YDD59FZ/5rSxmkBX0f/mInRibLKJGRR8Ns+m+OqlmWgChUfYOH+nRQ /DxLiKJZzsCFW9ZbRNwoD9tdKV3hutQUgh5U0/FukTpLuAr7JoL00LC3tlrmnrUZ W/2dP63KQ/M0IdUxVnDTjlPyeFQ+5PAuTvIOxG6sfqTGOsMEqXgIvDQraHCeyLyx /FtOUjWJxi++J16XhMz6tMHXE5vUPKj9cwYvUfQjiUyTRl5cKKgpp1sj3NY/3knk Gz7cjqCCLRlJwVN5oK8kGxhNllmdsgE8egoMtNtqbxa6VWPxXvcMXlV0xTbI2jCo BO0Aq2StPbhxkYF8tJpXDoEYnwRX3YtYecd+sKJuRvFCqXtJAfy1oWGPfr5nTcei 5pQ6UnjgyHhffvZtp66/gIyHiTo+dYrUcA66tODcBgZPBeygkyfCP7ZAiKU+wK31 Djm3fp7D6Xq2uJ/Fz+uaXSegzhUMP14Jg8BL3CxhED2z2+Nhu/VHvlhrvoKc+ZRo DUtFsdtFqh8L7GuUFjG3eqvR6qMfC5nQ3GOmvyCDPKlGr6tpiRk4k5sAq0tCmhTU s0b5/HPSpXhxx+qyF5vJ5Gdz+vC9Ug== ----------------------------------------------------------------------------------------- We will use the data gathered from your systems in future campaigns in 14 days !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C01D3D0DF894AE75

http://decoder.re/C01D3D0DF894AE75

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 39 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\v2.exe
    "C:\Users\Admin\AppData\Local\Temp\v2.exe"
    1⤵
    • Drops startup file
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2968
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2684
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\474w9n-readme.txt
      1⤵
        PID:2256

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\474w9n-readme.txt

        Filesize

        7KB

        MD5

        bf2b8a96866652f260a15964f09b3ec7

        SHA1

        07e7f71dfb0ce96bfeb75ced073009624d71afa0

        SHA256

        05077e7a790fea060371a0fec8341aa9c31ac3b4a7428be14edf67d1bf3e63db

        SHA512

        d3cfca0af61e10f25fa596a5e879d8764c0b60351230475babf136b039f59664a890e28ec103874e89c83065719a5a18a600dac2bf4b22cc92f942a41beaedc3

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        471d6e145cf1b16bbd1bf9eb6b4bf758

        SHA1

        9b7114feab79f18d8d7362623f9d37887ba37817

        SHA256

        b735cdc6f5cc2afffdee50400db0b061ac870b4e3bb71d21d4d8d135e4af6ac3

        SHA512

        e4576ba05ec658caa5d196f1ffe8c3b47b51ba280174a340e6f3a6c9aaba0bf15fbca4358bf7b8d5ff4190ae516941469a9545c6c620a05cf6562cc10f95a7f3

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        242B

        MD5

        404626b71f3435778d83fbca870b4262

        SHA1

        5094bb9bec69f24e3caf9faa8829998accca6925

        SHA256

        f5986716eb619cb26d8bda0a0b7298988bd8ad0baf67d315c146538876be42c7

        SHA512

        24b8f11968e3f20ecf98ed30bf6e2fcfab156b181cb792fc3780a99bfde92f98c6f1dadccb320f9f8a7aa15dd9f269ee7764fc8976551cea69e91150a64149b7

      • C:\Users\Admin\AppData\Local\Temp\TarFA2C.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Windows\System32\catroot2\dberr.txt

        Filesize

        191KB

        MD5

        8654f6c6e05ca44828630e658700bd05

        SHA1

        f84b6be984c9b0a4c9b0c6b822e2d23662ca1e03

        SHA256

        edef0d651ff7a36e430223d6283dff55bb53b57b601491f57f69474cc622f8c2

        SHA512

        b7ddad04946fc48d5a0bdb100fcea956ac31456745be636107ed39e5486cd76f6a5173ae8643ff491b5f81b7df74c7dc19f4a827d3f7047f3142ac1926066861