Overview

overview

10

Static

static

10

v2.bin(1).zip

windows7-x64

3

v2.bin(1).zip

windows10-2004-x64

1

v2.exe

windows7-x64

10

v2.exe

windows10-2004-x64

10

Resubmissions

14-01-2025 05:35

250114-gaenbszqam 10

10-01-2025 23:50

250110-3vv2pswmhj 10

11-12-2024 15:19

241211-sqgcmssnbr 10

09-12-2024 01:54

241209-cbqprsxngx 10

26-11-2024 23:15

241126-28wpqa1ndp 10

30-09-2024 21:45

240930-1l2rsazhpg 10

15-09-2024 22:03

240915-1yl7vsvbpf 10

15-09-2024 20:03

240915-ystcwa1elr 10

20-08-2024 16:21

240820-ttt9cawalj 10

Analysis

  • max time kernel
    1800s
  • max time network
    1801s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 01:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    v2.exe

  • Size

    121KB

  • MD5

    944ed18066724dc6ca3fb3d72e4b9bdf

  • SHA1

    1a19c8793cd783a5bb89777f5bc09e580f97ce29

  • SHA256

    74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f

  • SHA512

    a4d23cba68205350ae58920479cb52836f9c6dac20d1634993f3758a1e5866f40b0296226341958d1200e1fcd292b8138c41a9ed8911d7abeaa223a06bfe4ad3

  • SSDEEP

    1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZs/WVEdz725sK:J1MZwlLk9Bm3uW/Wud2K36cn/wCY

Score
10/10
sodinokibicredential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Recovery\265062875m-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 265062875m. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3037CFB247B8F004 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/3037CFB247B8F004 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: QmLKfxXClLmrViavNLAllIG/VoXXSEmyWrTUAw7IgucBPdVV9HkdLxaiapDfX7PS JIGOu/px1u5Z5XiF1BAb/xpdF+Q+RY1GTHx61zymQl3H4hdguCrC3UMER5rlfbkJ fOQvMdFnSb1h4agLgh+ngo9R2YyWtTsi4Yh4q+ldG3FxV3ciBeyXp7oU/hghX1rv 7KyNpajNgzbAv3NUP0m7+Yb9PO6aK5QtQm6LZ00HTwsfyZ3JIRgc71LqpWhk/ymJ 83vU8TERT8oV76Ylt+SdzY1pH+LKpBJ6ILn6/XAWUkyWsE9ueUAc5sFIaj9g7RXX 0mkjmruOsG5mQXePGVCkJNQu5DlYYA5/R1hNZlHs7A4LnHHTOBpP34puisudCjMs CFJNfu8WrcAkOdy28Xy9pTqer9IQjCl8f9pm0y1W0xQiXQ7CB3DskAv2qgj1oYDD jH+rENOV16Q1UtQVUBQhu0kz6vy6c69/ziPV5aPXWqbnxoMK0ciLAFqB5uyz+RZl Y+Fc72sZctJ158zvszQlBQZmgc2osVjRlAk5fvNN2xiA7m9wFgRytsjUrWVdX0XM B4B8VGzpvxG8Y3yw7dUAGXN5iUFh7lV2MtvHkyHSeOOBxawiO3FdGM+EZtJtEaGb QGr92VeIG01gQtHFp4fgCUmxsKXgS5GfJVlHlnALoh7vLdFv9Hj68Ab4twACJoBQ SjaetAkcUdHo6BQP5qyKy2WGEZS3quljPY3284pXeNVlPDRcl75pTGca9uyLYitO himQVEfe8JaUc3tfCdpPEsJGr9Utjkd/vacq59nFGBFBbBMJwj+xMYIEiRj8tOxU xMaJ9YFtvv1dNPyypbl3dc7P0TlADcRkKeMS88qJGWSILtR/KtxGiPHFMEHEHl2J v2FcArPrV+N099Y9xpCznhZPzyotzXivGvKN2rFs93C2DbjUBJKM+K/ZPmKChOoa orAz+5KquJkLrwafD8gfGD3vQHc08tv2XOJg4lvwdxx8BqHlF0qIgqvIuGJ1Kj/b RNo2LZ8Tkn5xADy7lgf1SJpKCJOXGkIz4Yjx86MD/VRwVj3B3kPJTzUtHwq9QhXv TKyKiRWdBNC+49gKTLlL3e5fCBggb/cs5aVeo5CUsPABG1eU1YEFyR3aiN0xN9mr CaakLaTCxWEjIUKHW5pmBU2QI4aG/AaNRoQ+09gnTS9Hk0+ajM1QhLjcW6LVZf0s Nu0m4SglkEZ3UYm/2CcWnpe5IH2xQjMTgAIxpmBis00nNH5fdFGKQv8JnNeMvB5q QvDEPIWJeiHOrm7+9/s38esM43fiTYzPdalL3laalNzYuLp+eqDBkKwRe3s45DFO bGMbIwJoqxVlq/wpmMhPcjx0bFPI6AZGGxgGYA1Ds6/iKYTF ----------------------------------------------------------------------------------------- We will use the data gathered from your systems in future campaigns in 14 days !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3037CFB247B8F004

http://decoder.re/3037CFB247B8F004

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Contacts a large (548) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 19 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 16 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\v2.exe
    "C:\Users\Admin\AppData\Local\Temp\v2.exe"
    1⤵
    • Drops startup file
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4080
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:5040
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\265062875m-readme.txt
      Filesize

      7KB

      MD5

      5dcaf611d7afa4e7ba779397bb2ceafd

      SHA1

      0ece987646e9e20f6788dd3ecebff911364d1151

      SHA256

      78d15f567929d0d51f719a9958dfbc3bdd8b14c39d698c3dc7dcf8ec36b727cc

      SHA512

      08396ecceb24fc8f4a8d9f738ad4a2a3651859673778c6dc5db5b883b9b14b28cba59f57e0f969586003d5b967249e98f818c321ef9ff086e297932f9912de86

      Download Submit