Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 22:33

General

  • Target

    run_revil.bat

  • Size

    120B

  • MD5

    0d0877a920cc13d77e89e72fd098d238

  • SHA1

    3af65d1f0ff34ce90c289b1201a489575dd225e4

  • SHA256

    41e9c846ad4099da47e7baa5ebfd51bc53a10716cd00130d843bb33e53440120

  • SHA512

    b189fc8d21678926b7d79cdeb0ec44a63519cd7a7c85ce659b78ff7d2f526e2e92a2b308cf791c331cdc5cd5ed1d0fb482996a9587c3ee8c3741307dd9b4b572

Malware Config

Extracted

Path

C:\Users\dlqoj-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension dlqoj. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/425D415C9C564E5B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/425D415C9C564E5B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: B2yOYOtQsl0YaHKfUHR1SkIyY6tbpwtzx/dG2uGQ5I47zkysk6UKn+b38gcNWGG6 hrr+CeqjvLGFGJpeh4CCgMj3M4uuKn6pDzjfLZlLUIlhilrn/ArReU+HPhQQa3yW 8b7Q23+sYmJXM4n6FOfAUCeb2cmkHWe3NQIauV797PNCjqV6Qi4JqOabdCHwnN64 cpRxUmsYUXCOAvQ7ZISLwp5LVNCHP8x7a5v6yXm3Om1Nd25X5k6Bid7wKf5SvuBe hwF4n9bLPqkYXGUe3kkFdnFfhW9/IC/7GfwEzYitaBwgBzgj2Xv1uKAZwHjfL8IJ ekWyG23FMBggyiFVMcO89riWKz6oEr5k1rgpWevVm3zr85/9nv/MPzFwIGd1aNKG VohC0nrba3mA3b72NyPwVweFA6W32xnUQ8+nobuKN1OaREYPbTAHelD859rr02X3 wjF2idxluQYrRPwEED3y0pfdBwb9AhzzNM7zKa3fEf/PN+pMJIdV94JX3mhdhlyg bcm2F7aMVB1BrRqQ0Gvr/iZbCMJGKm7gWRTJs+skucW6ZKSZOWizYgolMR+uz7Yc GOW1yjm9h8HZIwMcU8ls8UKUn4/4N3SCkrimOLDDdL4pXnN1pYWwa5M5VeeYA83Y nrNNip5w2v5Tp8dBmd9aEwgV7GAxjlllBxuG8Qxnt7W+bQKV1gEOv9R6D4opUa96 S4M0AJNMfusNs4YdQl9g6RGu+2I25N2dZCTw0pHfrKbbLn1lVyqYQKQ0jLTG01gC qNV+T2dU/fYzQXgiVFVaVRfD5kZFaOUmJy6TwLPCS7m0mbIgMB6oVJCgZYsUrCLh CPbfrnQ2cy6vb7V/Gk+K1nchAeltA/YjjyYFoInm/pgQbg+Om39T5o1sd+rxxcTs 8RxTtRbaZd91qOQxmaZyblhQpdGcTvCG7T9n9Mze3PceM5wJT2cIadHwTBsrqbCW 9i77E2oNMhCYTtZJQnaWY589hCq2Qhz3qw936TC+xnZShYsSNP5i4uF0Ml29DZS1 O8fPSqey/rYEsw5Ckxb9CJWr661+LnEeo461COIVAY6eYH2X6JL6EUQYGX5Q0El3 aAgF2p/8exy7iXC8mabfISPyPwBVGWnOmV8MzumfbkvxKIuofSZW4WzbSfwtoZb6 L/Lx6/daSgbf9jQ8Pik6mQr/FD+cjOoVIYWE8xhuTB9zVusYWAKwuRZKnCmPwAcD f3iLRjpQD/aPasgGonPrt51eaLpZnnLITNLaeO+MxTOjoeFvdOZ3Di/g/QaBwqTg PdGpV3//y1l7S0HeiM//WNNJTNKho+hTm9mLUX7E2JGKJWyifO7QxNnJWvvMOUG7 kJDpIhl7YiwwIXDgCAZBQadFj7tl13ZcTDqVC4TV0IkzkIqj ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/425D415C9C564E5B

http://decoder.re/425D415C9C564E5B

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi family
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 36 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run_revil.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3896
    • C:\Users\Admin\AppData\Local\Temp\6c5ddbe058da35b2731fe10234520a6bb78604f860ed4188a1bd07e62fe4ec11.exe
      C:\Users\Admin\AppData\Local\Temp\6c5ddbe058da35b2731fe10234520a6bb78604f860ed4188a1bd07e62fe4ec11.exe -smode
      2⤵
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3620
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:216
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3524

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\dlqoj-readme.txt

      Filesize

      6KB

      MD5

      25e8254a0d3ba0a1096bae20d6ebac0a

      SHA1

      dcc6f742825867e335ea38b4957a0196ef84358d

      SHA256

      046734876c63f491e9ae782355338ab8667e388d4d856312c3819a073578f502

      SHA512

      5be2e4126bd206b877e2484f2e23a780d0ca4dd3ebb2241a46fc50d4e8fc22c77878bf6523c2c3e3fca6e56e0778c03addc92a5e5e9d410c14444d3124b33163