Overview

overview

10

Static

static

10

017b236bf3...d6.exe

windows7-x64

10

017b236bf3...d6.exe

windows10-2004-x64

10

05676f2007...fb.exe

windows7-x64

3

05676f2007...fb.exe

windows10-2004-x64

7

0a025116a8...57.exe

windows7-x64

8

0a025116a8...57.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

1.exe

windows7-x64

8

1.exe

windows10-2004-x64

8

18674bbd9a...38.exe

windows7-x64

8

18674bbd9a...38.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

234901adb1...b2.exe

windows7-x64

10

234901adb1...b2.exe

windows10-2004-x64

10

2ae06537d1...b6.exe

windows7-x64

8

2ae06537d1...b6.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

2c02c65090...91.exe

windows7-x64

7

2c02c65090...91.exe

windows10-2004-x64

7

3.exe

windows7-x64

10

3.exe

windows10-2004-x64

10

329b3ddbf1...f9.exe

windows7-x64

10

329b3ddbf1...f9.exe

windows10-2004-x64

10

336fe6e8bc...de.exe

windows7-x64

8

336fe6e8bc...de.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

4bd31921c8...be.exe

windows7-x64

8

4bd31921c8...be.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    93s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 13:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3.exe

  • Size

    157KB

  • MD5

    4bd82da426f6b59e08b40044adb5a3d2

  • SHA1

    097db21cb36c15979730a775ac6bad1240d75275

  • SHA256

    add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310

  • SHA512

    77dc3f9089bb1877defa28e39a9c3a615efed7975dbbe3a4d3af942a450776cf2935d164059d2519aa2d5105ab06106c39431e4baba82c42c3f2cbacfb82b630

  • SSDEEP

    3072:wi8Iy8EytSLbi4eTMlwDCnuZ3j9ifgwbDJ1fMP:B8IUykbnWJZ3jkflJ1fM

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Users\Default\23n373-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 23n373. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8172E5319B91F962 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8172E5319B91F962 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: fPA4YhHuSo0O6b39MBPieyO1nJaSnqYPumvssIs+YsbHa8gy8gIkPVU+wsZmbzpS xPTfUuajFvGoDbc8+6Fp6wHLlbzXN6spNX/pJlysHQ9TNGl1nMIgw2iq2TIA3P6c D8GW2TQixc2MSRbSmBmz+IH4NqA64Lf4ZGR4QATnQih+Ma4q3JbvkZDLJEuBWWV/ tGnXE9v9oZF5qhZcN+5NKRJpTaoGf7gq4fPR7aPjHm+iz/2058CWynS20u/J7KUH hA46Ql79IQXWFhYowUvh3WVpc7VxDDzN4z0EJCbqz5viqcZYcBSN2TOFpj2qC6od rTOfXnaNwKKjJi5klhqmy4yvHTGKHKxDoUbreBZd1pZQoighicIywMLCwVAJTGlZ jyDeLDFuT7iolMUFB5OX5dUx62Wal8HDpJ/7zhoSEMoMQTsI2ywJW2J2oXvzQ2aN foCOFqevGTxT6qxH4qLlVwOKUFeFLHiXhcBIyKxjCeNzfZDr5ckluuswhfgJD3A5 BuYTEp49MUPQf5CHKXFfIkUSq1foXZQJGZp4GKrwBXPPmMXzbETgrSYxWCxLcC3K npvtMLAjCrxdRC2VghNVZ4GeUj9g5jvWaQewnsIL1AvHzEV7kP5yMdZD06HjbHry MsTb6OT7VahM/tDpAat9/rU933KLEumAqIt8zzpwGMDd6SbgHCcZMTkynF3WL99e LADKEFJHvqFPBhlyYmd/v4aanbPiCC3mMXomsRE+l9TbO0ew8oJHEJz+gOliRhXW 8IyP+oJLomTcJk/1bNAl7KDhF/kQdfUa7EbG9oqgwF+zqRamFdH0Zcy36RbGYnSp GajoqoBf5Hyf8Dk8Ao4Nopz10kC4iNprN9RUYtqkmhoJr8h2027ngDIgn5UUORMD W8VxHItuTj6vMUvjxFEMNZiy5K3XN9Zy5ncggbMF99HKCnmeSLmn0ghX/wu55oUS 2I5aCe8qR7i2UcYpFudAVUY90XM3m2FCsQZvLZbpBR2iFkMsOn5OXUgZfXY0fKc6 Uz/S5Sf2v7aHu5gvuvKpBafEv15yyUR0fmwbp5CcQ4PtmAdcl5GUUi93hULYN4tK 2Q8cv0QbiduTJ2PLeTmvGVcL9EAxt30J0DUrvIHhkDYXC/S5u8gjgCuoLMYtpiUP fQD7SFq2ZnWtzvpAmHvxHthH7JiriMHvsm5yTqzE490= Extension name: 23n373 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8172E5319B91F962

http://decryptor.top/8172E5319B91F962

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Renames multiple (157) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Default\23n373-readme.txt
    Filesize

    6KB

    MD5

    1d84ca040f6b73f720071ea3b3c4823d

    SHA1

    0961b292fdaeab2f9dbc7304ffb0c1841be5df92

    SHA256

    bf6256441ccd1d666dd6982dec31df8503a168f18c52b78dbf0191499f73a635

    SHA512

    b063882bf3db35c1c20b553ad45a2067baa66599340a60ffea5f8cb5165731a2b185f2f1c1251aa5f05220e2ae7103f5d09de2d9e3c8c15900d0e95e34a32123

    Download Submit