Overview

overview

10

Static

static

1

8dd620d9ae...dd.dll

windows7-x64

10

8dd620d9ae...dd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2024 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd.dll

  • Size

    789KB

  • MD5

    a47cf00aedf769d60d58bfe00c0b5421

  • SHA1

    656c4d285ea518d90c1b669b79af475db31e30b1

  • SHA256

    8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

  • SHA512

    4c2dcad3bd478fa70d086b7426d55976caa7ffc3d120c9c805cbb49eae910123c496bf2356066afcacba12ba05c963bbb8d95ed7f548479c90fec57aa16e4637

  • SSDEEP

    12288:KXnKcEqGM00LJdqoHuDWeij0XukcWl9e56+5gD6QRqb/kYxFNFsX3ArTjvJjx0u:YETDWX4XukZeVL/kYx9P/JY6gfjcs

Score
10/10
sodinokibi$2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq8254discoveryevasionpersistenceprivilege_escalationransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

Decoy

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au
Attributes
  • net

    false

  • pid

    $2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

  • prc

    encsvc

    powerpnt

    ocssd

    steam

    isqlplussvc

    outlook

    sql

    ocomm

    agntsvc

    mspub

    onenote

    winword

    thebat

    excel

    mydesktopqos

    ocautoupds

    thunderbird

    synctime

    infopath

    mydesktopservice

    firefox

    oracle

    sqbcoreservice

    dbeng50

    tbirdconfig

    msaccess

    visio

    dbsnmp

    wordpad

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    8254

  • svc

    veeam

    memtas

    sql

    backup

    vss

    sophos

    svc$

    mepocs

Extracted

Path

C:\Users\1n5zpi-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1n5zpi. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F3C01452A5BCB2F6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/F3C01452A5BCB2F6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: yQvqX0CBM7My46amMR/l15gn/jma3mlio0G4hsnWgOJFAq5AvgUxLMQk6qE8qJEe 3j1nhrwvQ8NgX1R+yB0JCkvsBfda7Zg5moVdPYBxvcMEV+nihjJ8NZvBIIzJMUDe XI8IM8jEUhXA+SgnmQFyjbzfUclpv16d+hM/QFFm7G9aNqYhFrBbSjAeExGPGNkK OqSaWyOYaKwUflQAhlvFYtjElaGUfQa/DKcAbCKb8VtFatM6lpp2AkcoObrAf6WZ M4eFrYp6sIGWHtCaD+Q47rOZdXqka88cYj8bb7QuqZ77dmvUfZ+uvaJ7p8Pi3D5+ P1/EU7I9aRTE4KT2AKONbsJKDXb4jmzqSwD+/iP5G1gZNd8Tcs+PQD/NlNR1/Kwi OAb8lQCcMPIghp4+TVx9DXv1ftdojU1TnUWM7uzaXLJEBox27Pw99lnU/ZqHoTPV 6fTnCnedjD2Hr6S8CJG7T47rVfPpNa05EXF1SCQqagNhCJ14HOCMzpqJ9xWqJaFM ANqHpLqXRfRD73pbTMIkX7keLWV91Rd9ZfqRBmXHqyR+MmVbA4MoaqJl3e1p58mI 96fsJV2hny/6zGlWdDNUrUbyAZTIzbb6h2/BzyoPoy/hAcpqgRXBCuz2YMxmmM0w GNUGrcGlv3rZsoo7FxZPU6+xweBh/lXXQkYxc7XcdtS5c/2LbKUc1PH8YFIv1Bv7 qWcRFKxVZcD7fY408dSx3Pho4aIXWuIyDBVIqsSKb/V7hpkNG8yWGuQreTY96co9 w/qM17cmpaAWOC5yR5vFuyg9aViyLkqE81czF0h9m4aajNBnhhneshSH7WnVia+Y RaIrRqCcwQIGLdlQY1iXSZl2bQ+N7nLGctEUjNwXthItBMZ1N5ghlFf65yR5DYwI QcqriJ1ReKlHCZYMPhKAOLK38qPCuduDUuM7rlPt8WNcCKvMDDhLcx/YyhT0bbfd PyaKzyDdcrDNsMvPGjAmr3NNQxaaORlfxreM62Y5qYGLZQqnLyiHIGN2M9/wE44F 7PMijUUOfZJMccqN0fcyHwR0sSZzTdWja0LqVHxSyfxcw+BK6n0XS270+ybHO4rn WaRj48+qW7Y4B5ZNSckht48aSbMORMuqnAunEz9WUFUIGtlNTyu/I5eUpZ5x1l89 vX4kPjeCzyOddfUfdWjbyzxRmt/O14xczFd2tOqyFWZtJTeUA0+p+mrFnNRhAEgd aVEifTFboV2l6JzJz9W2Lzc3YWCiMy4+HL6drGcYjAf4w8ASEMFnK1iCxVBN0a+M hO+qwnl4cWviN/dJm6X2nyD6MiXYlFpW6B9VN50dk/llhfS43ApKnK84AjauIbt8 gXdL/f30WY/eS+Qa6LlCFtQBAg6LXA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F3C01452A5BCB2F6

http://decoder.re/F3C01452A5BCB2F6

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd.dll,#1
      2⤵
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2752
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3588
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\1n5zpi-readme.txt
      Filesize

      6KB

      MD5

      157940707e2270b6bc541ac3c86ac403

      SHA1

      eb4ab6ae2a081136042ff6a16abf88e5ce581aad

      SHA256

      dcbfc061d7dc264c00e490ca9182239cb2cde6b4c8e89fb566c91d93a6d6fc1d

      SHA512

      47cc55d7c5b37c9586dff098f1a2865069e04a84aeee048cfd0ec1ffebc709d3f799ace3e846e4f41a63cc41974a7c51e22fff7c17dc9d33c0af45cdb7d8d216

      Download Submit

    • memory/2684-0-0x00000000006C0000-0x00000000006E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2684-1-0x00000000006C0000-0x00000000006E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2684-502-0x00000000006C0000-0x00000000006E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2684-520-0x00000000006C0000-0x00000000006E2000-memory.dmp

      Filesize

      136KB

      Download