Overview

overview

10

Static

static

10

017b236bf3...d6.exe

windows7-x64

10

017b236bf3...d6.exe

windows10-2004-x64

10

05676f2007...fb.exe

windows7-x64

3

05676f2007...fb.exe

windows10-2004-x64

7

0a025116a8...57.exe

windows7-x64

8

0a025116a8...57.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

1.exe

windows7-x64

8

1.exe

windows10-2004-x64

8

18674bbd9a...38.exe

windows7-x64

8

18674bbd9a...38.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

234901adb1...b2.exe

windows7-x64

10

234901adb1...b2.exe

windows10-2004-x64

10

2ae06537d1...b6.exe

windows7-x64

8

2ae06537d1...b6.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

2c02c65090...91.exe

windows7-x64

7

2c02c65090...91.exe

windows10-2004-x64

7

3.exe

windows7-x64

10

3.exe

windows10-2004-x64

10

329b3ddbf1...f9.exe

windows7-x64

10

329b3ddbf1...f9.exe

windows10-2004-x64

10

336fe6e8bc...de.exe

windows7-x64

8

336fe6e8bc...de.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

4bd31921c8...be.exe

windows7-x64

8

4bd31921c8...be.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 13:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3.exe

  • Size

    157KB

  • MD5

    4bd82da426f6b59e08b40044adb5a3d2

  • SHA1

    097db21cb36c15979730a775ac6bad1240d75275

  • SHA256

    add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310

  • SHA512

    77dc3f9089bb1877defa28e39a9c3a615efed7975dbbe3a4d3af942a450776cf2935d164059d2519aa2d5105ab06106c39431e4baba82c42c3f2cbacfb82b630

  • SSDEEP

    3072:wi8Iy8EytSLbi4eTMlwDCnuZ3j9ifgwbDJ1fMP:B8IUykbnWJZ3jkflJ1fM

Score
10/10
sodinokibidefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\Users\Default\b089lv602-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion b089lv602. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DEAAF204A8C7F96F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/DEAAF204A8C7F96F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: q5FT1RBGiQ2qHk+fadScbc6zK7USYt/e9Z/Ow+8LqD3VEDPH8dk7Q9ulTrd2PvlW i6qn+aaVqw0mGd5fAUSPjJ5G65W+MoYKHTf5cHdhQ9RKika6qm4VHSkngMK2HAGq 9eNZ7BTCNswMTYRgiCt6lYnMXnfyHtrQdW54Hmu/r7YkNggE3a8tNmhsGBhYwb+I NYcS646Oh4P2uvdnX+FxuwRKmV3Vp5KNqCqS5XRmwJddLAkw9ef9JKdpcyQAMdWS pv2Zg2T8/TlJioKmBWoVO2h95kKqc2BTzNCqyfmtAd+GQ7xJUxTZ+ivI5usVvjbj 746x4wSLkJkqjohyD5matwBH/NJNZ+wyTbccLBDwfcDIgvgVeJEaCUNsTQ9x1+wj xJ4DMg/ENloK5TqaHP8DIHouWgCmWitV6UCB88iteXT52x5rzmg1DQDfiaijJzM1 VEN1EYuN3+qI3pe4Ko0bFVjT4u3AXzw+Yo+oUUXfLBsnA800Ghy70frMWqKvDhaY VkwHiZVFQR867JWb83cYC33lOeqsvwXVKp982t+LYCbxtr6VLJGl9BUYPBInzqnx hHAP35Fxk8R78DuF9n9QYHrStPtYSUHR12Uqttem/9EdBxbvmpBZcdKymUlrMB8e 4/wCfisWXsNZ1xwhrEToyxzEILf1/fnoiXC9HsfSMifH+wVZ/XIZyDfVoNssRUcg DBTjgCjP8+oDiv4VJb9mjB+rWL2wBv/ixgTjZo4Q8ebXU140YytVtpysuaXNhgwP POvhG5/v0oDG0C5xfJY40/w52RvJGttfaeTUS2e63WtuvIAN4Op9qcadNVsg2yoW ztBe5tCGAahFTdLGtwH+9wUPrVNBvtKW5GsuS8ws+OQLi3X4+9b4W1Goz2DNH5bu AOSMMNKJq8dLhbhu8umSn7nmp9FGAnOe6IOZ7P6of+DfqafQwdyzdTOJMaoxTxAM v8q5A2NPknBQBrjDgiOEZbdm7ZkhuNL3o8LD4GI7PLsSGtTDU1cNVjaesvKzkb3J fgGnjnJzdEfxSMjQmOCxmy+4Vur6tGNhANfs8C1d2ZwNBCZMw2+K8GQu8HjZVvUQ TsYSAnx/E7ACNxAMBc0N5uTYpW8ZFz3BODzPq9FLLRBrUJgnGJeIdfrbv9gbV1QW Y+Q/a44gelhcXwn+noOelx+XrV6+2oGAgB0= Extension name: b089lv602 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DEAAF204A8C7F96F

http://decryptor.top/DEAAF204A8C7F96F

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (213) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2884
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Default\b089lv602-readme.txt
    Filesize

    6KB

    MD5

    0fdc9f26aab6ad0b7e6ffa8c2ec16b7d

    SHA1

    5cc2e17b2f9aeeabf4600e66d621d362b2ac8512

    SHA256

    2f725fa735ff83f62d83a2701260d1b380d7dd7033d2fa8406eedac6b244297d

    SHA512

    d22192425932971375ca1c6965755552ade7a3cc11a9db1a4ef8661f745377e4db490eeebb8024a6fb85a96a536d7298953359da4bde5fd34c5b34b7e1d4383b

    Download Submit