Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2024 02:29

General

  • Target

    v2.exe

  • Size

    121KB

  • MD5

    944ed18066724dc6ca3fb3d72e4b9bdf

  • SHA1

    1a19c8793cd783a5bb89777f5bc09e580f97ce29

  • SHA256

    74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f

  • SHA512

    a4d23cba68205350ae58920479cb52836f9c6dac20d1634993f3758a1e5866f40b0296226341958d1200e1fcd292b8138c41a9ed8911d7abeaa223a06bfe4ad3

  • SSDEEP

    1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZs/WVEdz725sK:J1MZwlLk9Bm3uW/Wud2K36cn/wCY

Malware Config

Extracted

Path

C:\Recovery\1d281dn829-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1d281dn829. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D51F3167E776313C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/D51F3167E776313C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Am0jj7M9bVVOIwfmYB2unhE5pc9Q3JfHPqFODPccvRrLOyB5OD8pQEm229m1toJ+ DdfD3eEY5gc6366FpX31QD/tHtmdnHRTEs7VW9KYYbDvf776sdMhiec0u6hlPjly iA8BA+YEBUAtdB3R1LQILG7+IETdt17kLTVy3uO6aYYkwZUyEjqSC6Cz+OGYTWea nBHbeRFJQhqTKxNVFRuaE52qO6bDlvUyqWKdQmHDm4X/AxCDMgC2IOVyPB0ZDEsZ juZYRBNFGQUut0TQaZ9l14XNUGRgf1g4g+iTwWgOr/Wgr1BK+P6HJTMsaOlkuAUa sVdGMaOzP3tCFskzUl/5OYNH/uDj43jcZFaf685ZVxNbETY5vK/rePshdvbpEd4h aC8Exm9e2VT5CqO1sM4Oreo+YaETZEp2zDPOHdWEy8T963Cr9INGoTD0bzYt2/L5 QcW/zOeXhGBeB0d5El/sNjFl5+lBp3DS/mhESxfSRnYfmB8i5Dt0vUlmHdAKHMRI 8mSNBa9vlFXuEnjOQ9IhRZnTsORIjUag6jsgqqoyj+BPS2IiorCma3nkWVYJdqST uA1PxwJOSdyyfutZPwlR9J5/LjP34SfNDnRCo+QCRyBYfTLJ9DVv4zSKybHKyWhh 7f/UbNlayTvHmc/d2kBq4QoYzwWt3QDF+HnD0mkxVQT7WKxWwX1P7lQK4yYVbYFm J+/x8PIct1aqvd1zQruTwxEu8vzWltpH8GfPiWOtdsVnKPGKOsY+69oKnk9rmW+f ZJEjtMn1FQgor6pEy67szsCr5rdGW2D7iKEb1+DCCJlP67dI4KEPoLH2MQTUXP8s 53/DDl0aRJafqprOOQITVlNRWH2ZJR/v/L2rCBSPXtp6xElFd4mqvR4YoGDQ9h7r e8l2tmTYEAxZI1Aa/dlLxgR5gvqWCDasnQ/4n4+BSeTr86SWJja6fgoDFI2S88XN MmJJBRotVnTyfJyvcPQUqnR7AMNLpEInBlA5yPgAPDrQsp9cQKNJE8MRobDfAQaz oAYMqE2igsylu/tRXkdH3gvfhlA/3D0UY2ZjzoPfv/YyqifiZybqtBhAgDv//0kU qsNIrTub0vbFy3aX36zzx+urlg35BQAv9GZlDw4DKAHyqRVY+ApZQuiN8mu7VL4b Bt/MpMe8K5uoITF839WBhhkt6fUAWMujt8P6oR05QjoZjr0Z1u2caMTs0NqpUNza ft7l7uzsqvLCj7zlAUe4pmSnlwgUurI0w+2j7n8Lgv6H9f5OAp4vBdn9pMuPjrWn 7K9O+RLGHeIqnJ4be4CzQmvG1O1jG9lkkIMCPzGl4jZ3prZ4wweiMp15PBTF8reI IQehmDFs5mMmDJ30XQGH36uIKPrvNlitiojMhGT3 ----------------------------------------------------------------------------------------- We will use the data gathered from your systems in future campaigns in 14 days !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D51F3167E776313C

http://decoder.re/D51F3167E776313C

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi family
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 33 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\v2.exe
    "C:\Users\Admin\AppData\Local\Temp\v2.exe"
    1⤵
    • Drops startup file
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2072
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2888
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\1d281dn829-readme.txt

      Filesize

      7KB

      MD5

      c94f24d9b51422e79ab9d039cd115f6b

      SHA1

      352199b79319a740c68516caaf26d2fe8099f4da

      SHA256

      6dc35f9e1ac899fe46390e522413b6d5cc08b3458d6e27cc6b9ae9a068ddac54

      SHA512

      e28e061f03d0e351239fae4d60ee25a7f8b57f625372d669d6a3584d601b80eb31e6dcde89d29b79ae2f6e525ef053775ddeec80101ba37d41e5b172c8c5634e

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      0d4147d157eaf79bc15e6058a0f0de4d

      SHA1

      156c93174943f1f65176fb6a0b843e674776e7df

      SHA256

      c6bc9acacbc40dd830d05e49a7eae3f0e91e8db6a6026b76af8678b221d8e2a8

      SHA512

      c05675d9c9d4b8747d3eb30e68003f4a86ec4c90a8a38c80afa3d5221ee1c8b92a21b75e8213e2c5d5303b056942f3544a4494b999bd518bd0791c6045b444f5

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      f0d893ec37e1632dd5231e068ffd220d

      SHA1

      0ea0320d208dc4fd511adc066b9f1c8a07e6c812

      SHA256

      6765ef7b9b9071e9efa316a6d3e11b4fa146cfd486f468033dd276460d7a3312

      SHA512

      97faaf1a8b80c79a58c3598b484899a6a9f42afc2baee5c27098732d181174a3286d9c3290bc618c3f4f71cf962de45a482991993a38f4b4d4c071a3b0ad2eb6

    • C:\Users\Admin\AppData\Local\Temp\Tar1F77.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Windows\System32\catroot2\dberr.txt

      Filesize

      191KB

      MD5

      1b8825843707e56dddcea3a095a0d380

      SHA1

      f649e82dc9ba9024c1953d79fb9c2db660d5b2c7

      SHA256

      6d1566e86d1fc002ef8a5818e94f712e77ef4c005afddfa9012782c212297d54

      SHA512

      45bdcf0009c9e8c192cea205dd0f20d3cc41ab606d4462e331cf430a46db6087589e3742d762aac9965a4e70eb256794770b70b59ba85319b750a6e4f43dea9e