Analysis

  • max time kernel
    130s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 20:44

General

  • Target

    malware_005D0000.exe

  • Size

    164KB

  • MD5

    890a58f200dfff23165df9e1b088e58f

  • SHA1

    74e3d82f7ee81109e150dc41112cf95b3a4b5307

  • SHA256

    5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93

  • SHA512

    2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d

  • SSDEEP

    3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9

Malware Config

Extracted

Path

C:\Users\lnb2t8g7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion lnb2t8g7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FDE6B0E0A31A5F84 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/FDE6B0E0A31A5F84 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: DxL1fVICf9+GWBiOpUXlthcpNsiHtnaspK7U3KU0ggsSpFreST1MG8KJRoAohXBG /QRuPMiqNiT5rXFCckJxrdQ7/4vKewSwtKsKfiAwFZHsmmRfF5eTrGlFdSzcyCN6 dCeqr6KjchRDCdHs0kV8sSqh19BEBByit5Uh4wJ5LaQhxISscqrXiCH/u4Hs1Pab Qnd1eFOrL+R7sPLB2rS2GAo5fX8P2aX4aDS48r9PDL8P9GQYRwIgAdlDHlUYokhT zkqTeqK79DrABUbHeDaXNM/ouRPgP8l9mW1PEJy89NA90ptt/nt3SyuiAWtwnFyV V70vij8qoEsXvTN5y7Kaj+aMc3AR72k5e5i01muIcWGZU8DxTIzjWCKEviR9mHW1 SVVLTPxFTCT47IzZIKWBa1eAT/Q1tgFWucMgTbBOgB+XzbHb71CT++XWX4VEh+jc +hToYt94yShChgIgxuuVkhrxBGvdfdT+q5Panr0LhXL9KCFLTi8pmzRD2EQa1EXR UjczQ0jEH94z5tqo56FiXE62RLgRJR+sb7SDTO/3nEMgpzCJrICzQbHRxdVdtgKY piqvtxdN2w1NMHHlJSnYvbgPBn+yqIWo32sP8J8jT0lJiy02jWcPyX3ThXL7c6yZ Gw0zaX7wLSejOnxrCEhMSMrsVCyl/R+mkPQDYdvn2V7R6QpjBoLj6WaxHpUUIiu4 SbtLM/MWRSuQxMuNkRd+6QCRv7tYRA+1vpQ1aiIhYJb0bLvNRPo4IzXW5VuKLmif fmnidU8iriLxw/pf9vigTAsSm0neWfY5ZLFVj8g6tB4o+a5SJtXsxPmRG7aAxVuC rLHrd7GI8VI9dO3vmy5Ob5RhvhUgJy4JlKiUPiiN3ZMGeby7t4Q8nT/mNeNqO+N9 MmMW4mV0qlw5aJ6Nn5SVF/40CiqBEH2sQxMcZEnD1HQZUt8zVhC6q+8p0Cs0xh9L +b+x3uIP4KBQLUmcnBSvS8Cyo9kmTPB0Aol8oKtHznMCwzdzDsDrgPfSpyoMNxEu 2vcPpi5iGEKXyp/fGYZZs/3Vd0vtlH+5DU+t1mw+MjTYyafgBdNbfiUalhCleeUx f829KsJZ0n/asN8Cyof7nisChVGq4zix9HFrFAsSzkADoTMCYyE2QDXNU+wtKYX/ jduKLXH64C/Q+k3UL17ApIT4h8RKOa2i40Nke7jthFsjAguUowXKGKhb8S/ORBfo zX90tYK4ZJIyEppy Extension name: lnb2t8g7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FDE6B0E0A31A5F84

http://decryptor.top/FDE6B0E0A31A5F84

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 31 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe
    "C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2988
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabE93.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarEA6.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\lnb2t8g7-readme.txt

    Filesize

    6KB

    MD5

    65e7562343457f767ad4ee8710baa55d

    SHA1

    aa84df7905d3ffc30feb936b344866ec9f695f3d

    SHA256

    9c17e500ef17ab6a491c997dfd8f60adf2644e3989d633c044bd2a131fd0d0c4

    SHA512

    9bffe9a3b04e2e5922c8294fd997f123a283caccc099706f37b3a1626198eb96ac5eddda340d27bb20a263252156ebbac9df0ea84760ffb98ac3d3903330a45d

  • memory/1688-7-0x0000000000160000-0x0000000000166000-memory.dmp

    Filesize

    24KB

  • memory/1688-4-0x0000000002280000-0x00000000023AD000-memory.dmp

    Filesize

    1.2MB

  • memory/1688-10-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

  • memory/1688-9-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

  • memory/1688-8-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

  • memory/1688-0-0x00000000000E0000-0x00000000000EA000-memory.dmp

    Filesize

    40KB

  • memory/1688-6-0x0000000002590000-0x0000000002699000-memory.dmp

    Filesize

    1.0MB

  • memory/1688-11-0x0000000000160000-0x0000000000166000-memory.dmp

    Filesize

    24KB

  • memory/1688-3-0x00000000021E0000-0x000000000227F000-memory.dmp

    Filesize

    636KB

  • memory/1688-12-0x0000000000160000-0x0000000000166000-memory.dmp

    Filesize

    24KB

  • memory/1688-14-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

  • memory/1688-5-0x0000000000260000-0x000000000027F000-memory.dmp

    Filesize

    124KB

  • memory/1688-2-0x0000000001F90000-0x0000000002059000-memory.dmp

    Filesize

    804KB

  • memory/1688-1-0x00000000000E0000-0x00000000000EA000-memory.dmp

    Filesize

    40KB